[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Move TS to optional (RE: Don't remove TS from IKEv2)

To: "'Dan Harkins'" <dharkins@tibernian.com>
Subject: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Mon, 25 Mar 2002 19:42:34 -0500
Cc: "'IP Security List'" <ipsec@lists.tislabs.com>
Importance: Normal
In-reply-to: <200203252158.g2PLwhK01048@fatty.lounge.org>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

As I remember it, Jan and Pyda's draft does suggest that you can add these
as dynamic SPD rules after you know the eventual port number.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Dan Harkins
> Sent: Monday, March 25, 2002 4:59 PM
> To: Michael Choung Shieh
> Cc: Rajesh Mohan; IP Security List
> Subject: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
>
>
>   The SPD is an ordered list of selectors that define a set
> of IP traffic
> to which a particular security policy is applied. RFC2401 is specific
> about what a selector is. Can you define "FTP" or "H.323"
> using a ordered
> list of RFC2401-defined selectors? If so please tell me how.
> If not then
> please tell me why you think IKEv2 should be able to express something
> that you are not able to configure in the first place?
>
>   Dan.
>
> On Mon, 25 Mar 2002 11:54:18 PST you wrote
> >
> > > -----Original Message-----
> > > From: Dan Harkins [mailto:dharkins@tibernian.com]
> > > Sent: Monday, March 25, 2002 11:00 AM
> > > To: Rajesh Mohan
> > > Cc: IP Security List
> > > Subject: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
> > >
> > >
> > > On Fri, 22 Mar 2002 18:01:10 PST you wrote
> > > >
> > > > We do not need no-TS feature if IKEv2 can solve all cases.
> > > Can we configure
> > > > IKEv2 such that between the same pair of host we have "ESP
> > > null for H.323"
> > > > and "ESP for FTP"? If the draft cannot cover this case,
> > > then no-TS feature
> > > > will be useful where it is needed.
> > >
> > > IKEv2 is not configured to express that, the SPD is. Can you
> > > configure the
> > > SPD to express "ESP for FTP" or "ESP null for H.323"? If you
> > > can then that
> > > representation in the SPD is passed to IKEv2 when a packet
> > > matches that rule
> > > and no SA exists. If you cannot then this is not an IKEv2 issue.
> > >
> > >   Dan.
> > >
> >
> > It IS an IKEv2 issue when SPD is converted to TS and TS is
> used in IKEv2.
> > Everyone MUST have a standard way to say what is "FTP" or
> "H323".  The
> > representation of SPD and the conversion of SPD to TS must
> be standardized
> > to achieve IKE interoperability.
> >
> > Michael Shieh
>

Follow-Ups:
- RE: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Jan Vilhuber <vilhuber@cisco.com>

References:
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Dan Harkins <dharkins@tibernian.com>

Prev by Date: RE: 1,342,532,544 combinations of algorithms
Next by Date: RE: opportunistic (was RE: Don't remove TS from IKEv2)
Prev by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by thread: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Index(es):
- Date
- Thread