Re: SOI QUESTION: 5.3 SPD entries

[Stephen Kent <kent@bbn.com>]

At 4:31 PM -0400 7/11/02, Theodore Ts'o wrote:
>Please discuss and answer the following question:
>
>
>5.3 SPD entries
>
>5.3.A) Is it important in SOI to allow the the responder to accept a subset
>of the proposed SA, or should it be an all or nothing acceptance?

Subset acceptance sounds attractive, as a means of making it easier 
to coordinate SPDs, but it does complicate the system and I don't 
know if the new processing model we envision for 2401bis would 
accommodate subset acceptance.  It requires further thought.

>
>5.3.B) Should the SOI offer multiple selectors with specific ports and
>addresses, or a single selector with a range of ports and range of
>addresses?  (complicated boolean complexity!)

Based on list reaction to earlier comments, and feedback that Cheryl 
reported at an IETF meeting some time ago, I think we anticipate that 
2401bis will call for a uniform approach to selector specification 
(inspired by the JFK design). The approach is a list of ranges of 
values. a single value or a single range is a trivial form of this 
approach, consistent with current capabilities. the list feature 
allows enumeration of individual, non-contiguous values (e.g., 
different protocols or ports) and the list non-trivial ranges is the 
most complex form.

>
>Implications from the scenarios:
>
><<<In the case of a pair of SGWs fronting multiple non-contiguous
>subnets, a mechanism that allowed the negotiation of a list of phase 2
>identities will help to alleviate the number of IPsec tunnels that must
>be created.>>> [[[5.3]]]

this is one good example of where this form of selector is helpful, 
but it also applies when an application allows either UDP or TCP on 
the same ports, etc.