Re: remove TS from IKEv2 (RE: Addresses in traffic selectors in IKEv2)

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: Michael Choung Shieh <mshieh@netscreen.com>
> 
> I will propose to remove TS entirely so we don't need to worry about IP
> subnet vs. range any more.

Well, not remove, but undestand clearly the separataion between SPD
selectors SAD parameters for SA.

Some "selector like" parameters are needed for SA, so that connection
or protocol specific SA's are possible in transport mode.

For Security gateway use, some address ranges (or masks) might be be
useful.

For me, sufficient parameters in TS for one-directional SA really
would be (where 0 indicates wild card, any)

 - protocol: 0 or specific value
 - source port: 0 or specific value
 - destination port: 0 or specic value
 - source address: 0 or specific value

For SG SA, you may need something that was called "proxy" in PFKEY,
and that might need to support masked address or address range.

IKEv1 almost had all these fields, but implementations used them
"wrong" in my view, trying to pass SPD selectors in them instead...

But, if people are willing to put more general values for future, like
ranges, it's ok too.

I do think multiple address ranges is already overkill, please don't
do that (thats just too much to hang on SA and match...)

However, if I just could get the IKEv2 designers to see this minor
distinction between SPD stuff and SAD stuff, and treat TS as SAD
stuff, it seems almost perfect as defined. :-)

-- 
Markku Savela <Markku.Savela@iki.fi>