Re: Move TS to optional (RE: Don't remove TS from IKEv2)

[Mike Ditto <ford@incog.com>]

Dan Harkins <dharkins@tibernian.com> wrote:
[ ... ]
 >			    If you can manually configure protection of some
 > service on a compliant device using RFC2401 selectors and have it interoperate
 > with your non-compliant implementation then I maintain you can allow your
 > IKE implementation to use the TS information it receives to establish them
 > dynamically. If you can do it manually you should be able to write code to
 > do it dynamically.

No, the problem is that my definition of a service is translatable
neither to, nor from, a bunch of port numbers.  There are two mapping
functions in use by the two implementations, each can take a particular
packet and answer the "does it match" question, but there is no way to
compute whether my policy is equivalent to yours except in the context
of a particular packet.  In general, they won't be exactly equivalent
anyway, but as long as they both allow the desired traffic, things work
with manual keying, and would work with IKE if IKE didn't require the
ends to describe in advance what traffic each SA would carry.

					-=] Mike [=-