[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Protocol and port fields in selectors

To: sakari.poussa@nokia.com
Subject: RE: Protocol and port fields in selectors
From: Stephen Kent <kent@bbn.com>
Date: Tue, 8 Oct 2002 11:54:21 -0400
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <F40FB5FE550A914F9C25AA54AB09E368189119@esebe015.ntc.nokia.com>
References: <F40FB5FE550A914F9C25AA54AB09E368189119@esebe015.ntc.nokia.com>
Sender: owner-ipsec@lists.tislabs.com

At 7:09 AM +0300 10/8/02, sakari.poussa@nokia.com wrote:
>Steve& Joe, thank you for your responses.
>
>The reason why I am asking this is that
>in 3GPP/IMS the SIP signaling between the mobile
>phone and SIP-proxy (P-CSCF) is protected with an IPSec SA.
>The SA is not negotiated with IKE but with a sip-sec-agree
>negotiation. In the resulting IPSec SA, the protocol is
>wildcard and the src/dst addresses and ports specified. The
>rationale is to have a single SA to protect the SIP traffic
>running on top of UDP and TCP.
>
>It seems that some implementations support this scenario
>while others don't.
>
>-sakari

I agree with Joe that this is not a good idea, in general, and 
hopefully the revised IPsec architecture will avoid the need to do 
this.  2401 does try to note that only protocols with port fields, 
e.g., TCP and UDP, should use the port field selectors, but we could 
be more explicit as we make revisions. I am not too surprised that 
not all implementations support the config you mention.

Steve

References:
- RE: Protocol and port fields in selectors
  - From: sakari.poussa@nokia.com

Prev by Date: how to -ipsec
Next by Date: Re: Protocol and port fields in selectors
Prev by thread: RE: Protocol and port fields in selectors
Next by thread: Re: Protocol and port fields in selectors
Index(es):
- Date
- Thread