[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Move TS to optional (RE: Don't remove TS from IKEv2)

To: dharkins@tibernian.com
Subject: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
From: Mike Ditto <ford@incog.com>
Date: Tue, 2 Apr 2002 12:04:56 -0800 (PST)
CC: ipsec@lists.tislabs.com
In-reply-to: <200204020627.g326QoC03815@fatty.lounge.org> (message from DanHarkins on Mon, 01 Apr 2002 22:26:50 -0800)
Sender: owner-ipsec@lists.tislabs.com

Dan Harkins <dharkins@tibernian.com> wrote:
 > All I'm saying is that if a certain set of selectors manually configured on
 > one end corresponds to whatever it is you manually do on your end then there
 > is a mapping between a set of IPsec selectors, and therefore an equivalent
 > set of TS payloads, and whatever your configuration looks like.

But the two ends' configurations DON'T correspond to each other.  Each
end has a policy that describes a superset of the traffic that will
actually be sent.  Probably both ends have defined a policy that uses
the smallest superset that their respective policy notations allow.  But
they are in general not the same superset if they do not use the same
notation.  To require them to use the same notation is an unnecessary
constraint on the implementations, and an unclean overlapping of layers
of the security "stack".

 > So it should
 > be very straightforward for you to write some code to do that mapping
 > dynamically.

It's not.  What you seem to keep missing is that it is possible and
useful to classify packets by criteria that don't directly correspond to
port numbers.  There is no translation from such a classifier to a list
of IPsec-style selectors.  The only thing that my policy and the other
end's 2401-style policy have in common is that they both describe a
superset of the traffic that will actually be carried, and they can both
answer the "does it match" question about a particular packet.

I know that the problem I'm describing is not a problem that past IPsec
work has aimed to solve.  I wouldn't be spending so much effort
describing a new problem that future IPsec designs could solve except
for the fact that there is probably a common solution to this one and
the problem of "dynamic ports".  They are essentially the same problem,
that the traffic selection description is not flexible enough to
describe more complex services.  They are different in that the dynamic
ports problem can be solved by a more complex TS agreement mechanism,
while my problem can not be solved that way.  I think they can both be
solved by avoiding TS agreement.  When I have a more concrete proposal
I'll let the group know.

					-=] Mike [=-

Follow-Ups:
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Stephen Kent <kent@bbn.com>
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Dan Harkins <dharkins@tibernian.com>
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Paul Koning <pkoning@equallogic.com>

References:
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Dan Harkins <dharkins@tibernian.com>

Prev by Date: RE: [CA enrollment for ipsec ]
Next by Date: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Prev by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Index(es):
- Date
- Thread