[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Don't remove TS from IKEv2
At 9:07 PM -0800 3/21/02, Michael Choung Shieh wrote:
>I just means a selector may be the combination of "10 adresses and 5 subnets
>and 6 ranges and 3 sevices". The argument in this (long) thread is to
>propose to use id or name to replace TS and put TS as optional, not
>selector.
>
>Michael
>
Oh, that was not clear from the words you used. In that case, I
can't complain that you are misinterpreting the existing SPD design,
but I will argue that this is a bad idea :-). We already agree that
two IPsec peers may have trouble coordinating SPD entries in order to
achieve consistent expressions of access control policies. We are
working on ways to reduce ambiguity in the expression of such
policies when the intent is compatible. Putting in symbolic
identifiers creates a whole new set of opportunities for mismatches,
by adding in a layer of naming. I do not see how this helps address
the fundamental problem.
Steve