[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Don't remove TS from IKEv2

To: Michael Choung Shieh <mshieh@netscreen.com>
Subject: RE: Don't remove TS from IKEv2
From: Stephen Kent <kent@bbn.com>
Date: Fri, 22 Mar 2002 10:51:47 -0500
Cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <9D048F4A422CD411A56500B0D0209C5B028F3DC5@NS-CA>
References: <9D048F4A422CD411A56500B0D0209C5B028F3DC5@NS-CA>
Sender: owner-ipsec@lists.tislabs.com

At 9:07 PM -0800 3/21/02, Michael Choung Shieh wrote:
>I just means a selector may be the combination of "10 adresses and 5 subnets
>and 6 ranges and 3 sevices".  The argument in this (long) thread is to
>propose to use id or name to replace TS and put TS as optional, not
>selector.
>
>Michael
>

Oh, that was not clear from the words you used.  In that case, I 
can't complain that you are misinterpreting the existing SPD design, 
but I will argue that this is a bad idea :-).  We already agree that 
two IPsec peers may have trouble coordinating SPD entries in order to 
achieve consistent expressions of access control policies. We are 
working on ways to reduce ambiguity in the expression of such 
policies when the intent is compatible.  Putting in symbolic 
identifiers creates a whole new set of opportunities for mismatches, 
by adding in a layer of naming. I do not see how this helps address 
the fundamental problem.

Steve

References:
- RE: Don't remove TS from IKEv2
  - From: Michael Choung Shieh <mshieh@netscreen.com>

Prev by Date: Difference between RSA enc. and RSA Sig
Next by Date: RE: Don't remove TS from IKEv2
Prev by thread: RE: Don't remove TS from IKEv2
Next by thread: RE: Don't remove TS from IKEv2
Index(es):
- Date
- Thread