[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 5.3 SPD entries

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: SOI QUESTION: 5.3 SPD entries
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Thu, 18 Jul 2002 18:24:16 -0700 (PDT)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <E17SkbB-0001ON-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 11 Jul 2002, Theodore Ts'o wrote:

>
> Please discuss and answer the following question:
>
>
> 5.3 SPD entries
>
> 5.3.A) Is it important in SOI to allow the the responder to accept a subset
> of the proposed SA, or should it be an all or nothing acceptance?
>

Yes. It'll help configuration simplicity.


> 5.3.B) Should the SOI offer multiple selectors with specific ports and
> addresses, or a single selector with a range of ports and range of
> addresses?  (complicated boolean complexity!)
>

We'll need a combination of both to be able to specify discontiguous
ranges of ports, which tends to happen with media broadcasts (h.323,
etc..).

jan


> Implications from the scenarios:
>
> <<<In the case of a pair of SGWs fronting multiple non-contiguous
> subnets, a mechanism that allowed the negotiation of a list of phase 2
> identities will help to alleviate the number of IPsec tunnels that must
> be created.>>> [[[5.3]]]
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe

References:
- SOI QUESTION: 5.3 SPD entries
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTION: 5.1.2 Agreement of IPsec SA cryptographic algorithms
Next by Date: Re: SOI QUESTION: 6. Wire protocol issues: Message Encoding
Prev by thread: Re: SOI QUESTION: 5.3 SPD entries
Next by thread: SOI QUESTION: 6. Wire protocol issues: Message Encoding
Index(es):
- Date
- Thread