[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTION: 5.3 SPD entries
At 4:31 PM -0400 7/11/02, Theodore Ts'o wrote:
>Please discuss and answer the following question:
>
>
>5.3 SPD entries
>
>5.3.A) Is it important in SOI to allow the the responder to accept a subset
>of the proposed SA, or should it be an all or nothing acceptance?
Subset acceptance sounds attractive, as a means of making it easier
to coordinate SPDs, but it does complicate the system and I don't
know if the new processing model we envision for 2401bis would
accommodate subset acceptance. It requires further thought.
>
>5.3.B) Should the SOI offer multiple selectors with specific ports and
>addresses, or a single selector with a range of ports and range of
>addresses? (complicated boolean complexity!)
Based on list reaction to earlier comments, and feedback that Cheryl
reported at an IETF meeting some time ago, I think we anticipate that
2401bis will call for a uniform approach to selector specification
(inspired by the JFK design). The approach is a list of ranges of
values. a single value or a single range is a trivial form of this
approach, consistent with current capabilities. the list feature
allows enumeration of individual, non-contiguous values (e.g.,
different protocols or ports) and the list non-trivial ranges is the
most complex form.
>
>Implications from the scenarios:
>
><<<In the case of a pair of SGWs fronting multiple non-contiguous
>subnets, a mechanism that allowed the negotiation of a list of phase 2
>identities will help to alleviate the number of IPsec tunnels that must
>be created.>>> [[[5.3]]]
this is one good example of where this form of selector is helpful,
but it also applies when an application allows either UDP or TCP on
the same ports, etc.