[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Don't remove TS from IKEv2
I just means a selector may be the combination of "10 adresses and 5 subnets
and 6 ranges and 3 sevices". The argument in this (long) thread is to
propose to use id or name to replace TS and put TS as optional, not
selector.
Michael
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Thursday, March 21, 2002 7:15 AM
> To: Michael Choung Shieh
> Cc: IP Security List
> Subject: RE: Don't remove TS from IKEv2
>
>
> At 12:18 PM -0800 3/20/02, Michael Choung Shieh wrote:
> >An id or name (I mean phase 2 sa id, not phase 1) can
> represent the "scope",
> >either it's a single address, or the combination of 10 adresses and 5
> >subnets and 6 ranges and 3 sevices.
>
> Not sure what you mean by this comment. The names defined in 2401 as
> selectors were intended only for symbolic replacements for individual
> IP addresses, where the specific addresses are instantiated when the
> SA is established. Thus, for example, an IKE responder could have an
> SPD entry with the name of an individual, to support a mobile user.
> When the user connects from the Internet, he presents a certificate
> with a name that matches the SPD entry. Assuming the certificate is
> appropriately validated, the responder should create a transient SPD
> entry (or, in the new model, an SPD cache entry) that takes the
> original SPD entry and substitutes the IP address for the name. There
> was never an intent that the name forms be used in any selector other
> than the IP addresses. I admit that 2401 did not do a good job of
> explaining this, but we plan to clarify in the rev of 2401.
>
> Steve
>