[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ikev2 Traffic Selector payload

To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Subject: Re: Ikev2 Traffic Selector payload
From: Michael Thomas <mat@cisco.com>
Date: Wed, 15 May 2002 08:56:13 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200205120037.g4C0bsT18803@sydney.East.Sun.COM>
References: <200205120037.g4C0bsT18803@sydney.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

Radia Perlman - Boston Center for Networking writes:
 > But here's the change that incorporates Valery's suggestion, I think:
 > 
 >    If the responder has multiple ranges, and can't choose, then he
 >    MUST choose the largest set that encompasses the first TSi and first TSr.

Radia,

Is there any real life motivation for this sort of
complication? What you're proposing to fix here
smells much more like it's just smoothing over
configuration errors, with the distinct
possibility that both wrong implementations and
changes of configuration will come back to bite
whomever was relying on this behavior.

IMO, it's worth considering whether we should make
the protocols less tolerant of screwups with crisp
semantics, vs trying to be more forgiving along
with murky semantics. It seems to me that DWIM 
semantics with security protocols is a pretty
treacherous road.

	    Mike

References:
- Re: Ikev2 Traffic Selector payload
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>

Prev by Date: Re: Specification of tunnel/transport attribute in IKEv2
Next by Date: Re: JFK nit
Prev by thread: Re: Ikev2 Traffic Selector payload
Next by thread: Re: Ikev2 Traffic Selector payload
Index(es):
- Date
- Thread