[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Don't remove TS from IKEv2

To: "'sommerfeld@east.sun.com'" <sommerfeld@east.sun.com>
Subject: RE: Don't remove TS from IKEv2
From: Michael Choung Shieh <mshieh@netscreen.com>
Date: Wed, 20 Mar 2002 12:18:50 -0800
Cc: IP Security List <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com


An id or name (I mean phase 2 sa id, not phase 1) can represent the "scope",
either it's a single address, or the combination of 10 adresses and 5
subnets and 6 ranges and 3 sevices.  

Besides, how do you decide if tunnel can be created if the "scopes" are a
little different, or must be exact matched?  How about it's dynamic scope?
It's better to take it out of IKE or put it as optional.

Michael Shieh

> -----Original Message-----
> From: Bill Sommerfeld [mailto:sommerfeld@east.sun.com]
> Sent: Wednesday, March 20, 2002 11:57 AM
> To: Michael Choung Shieh
> Cc: IP Security List
> Subject: Re: Don't remove TS from IKEv2 
> 
> 
> > I would say agree on a simple id or name is easier than on a complex
> > selector under heterogenous adminstration.
> 
> That doesn't solve the problem.
> 
> A name says *who* I'm talking to.
> 
> The TS selectors specify the *scope* of the SA's that are being
> negotiated (i.e., address only, or 5-tuple, or ..).
> 
> 						- Bill
>

Follow-Ups:
- Re: Don't remove TS from IKEv2
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- RE: Don't remove TS from IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Don't remove TS from IKEv2
Next by Date: Re: Don't remove TS from IKEv2
Prev by thread: RE: Don't remove TS from IKEv2
Next by thread: Re: Don't remove TS from IKEv2
Index(es):
- Date
- Thread