[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Protocol and port fields in selectors



>sakari.poussa@nokia.com wrote:
>> Steve& Joe, thank you for your responses.
>> 
>> The reason why I am asking this is that
>> in 3GPP/IMS the SIP signaling between the mobile
>> phone and SIP-proxy (P-CSCF) is protected with an IPSec SA.
>> The SA is not negotiated with IKE but with a sip-sec-agree
>> negotiation. In the resulting IPSec SA, the protocol is 
>> wildcard and the src/dst addresses and ports specified. The 
>> rationale is to have a single SA to protect the SIP traffic
>> running on top of UDP and TCP. 
>> 
>> It seems that some implementations support this scenario
>> while others don't. 
>

Joe Touch wrote:
>Agreed on your last point. There might be utility to saying "TCP or 
>UDP", e.g., for NFS, DNS or similar traffic that might use either. For 
>most other protocols, although both ports are allocated, only one is 
>generally used.
>
>It seems dangerous to let the transport protocol field 
>completely float 
>but to pin down the port number. There is no universal allocation of 
>ports except relative to a transport protocol; there is no guarantee 
>that new transport protocols (DCP, SCTP, etc.) will allocate 
>ports with 
>the same meaning.

In 3G/IMS SIP case, the mobile phone binds to the same local port
for TCP and UDP. For the remote ports, the SIP uses 5060 for
both TCP and UDP. So in this case, the local&remote ports 
are the same for both protocols, and that's why there is
temptation to use wildcard for the protocol field. 

So it would work for this application, and may not be literally
according to the spec., but why do you think it is dangerous?

>At best, though, it seems like this cuts the database down by a factor 
>of 2; is there that much utility to such an optimization?

That is actually the whole idea; to reduce the number of SAs. Since
we are talking about several hundred thousands of SAs, cutting the size
in half reduces the memory requirements (a lot) and improves performance.

>Joe

-sakari