Re: remove TS from IKEv2 (RE: Addresses in traffic selectors in IKEv2)

[Mike Ditto <ford@incog.com>]

Michael Choung Shieh <mshieh@netscreen.com> wrote:
> I will propose to remove TS entirely so we don't need to worry about IP
> subnet vs. range any more.
> 
> There are encountered numerous problems when puting proxy_id in IKEv1 (it's
> improved when using TS in IKEv2 but the fundamental problem is not solved).
> The basic problem I see is we try to put SPD inside key managemnt protocol,
> which has lots of problems when dynamic routing is implemented.

I agree with this.  Traffic selection is more complex and
implementation-specific than can be expressed in a reasonable
negotiation protocol.  It would be nice if the key management protocol
could protect against mismatched traffic policies at the ends, but it
doesn't seem to actually work in general.

Michael Choung Shieh expressed the issues well, but I'll give another
example.  Host A running IPsec from vendor X supports a service called
"H.323", and security gateway B running firewall software from vendor Y
supports a service called "NetMeeting".  These two implementations of
slightly different things have a compatible subset that will allow the
end users' traffic through, but how do these two gateways tell each
other what traffic selectors to use?  The concept of "a network service"
doesn't always translate into a few numbers in IP header fields.

					-=] Mike [=-

Sun Microsystems
Solaris Security Technologies