[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A question about traffic selector
I read the doc draft-ietf-ipsec-ikev2-03.txt, and i'm
confused by the description about traffic selector.
The follow is in 4.9:
It is possible for the Responder's policy to contain
multiple smaller ranges, all encompassed by the
Initiator's traffic selector, and with the Responder's
policy being that each of those ranges should be sent
over a different SA. Continuing the example above, Bob
might have a policy of being willing to tunnel those
addresses to and from Alice, but might require that
each address pair be on a separately negotiated
child-SA. If Alice generated her request in response
to an incoming packet from 10.2.16.43 to 18.16.2.123,
there would be no way for Bob to determine which pair
of addresses it is most urgent to tunnel, and he
would have to make his best guess or reject the
request with a status of SINGLE-PAIR-REQUIRED.
1.What is it means that "might require that each
address pair be on a separately negotiated child-SA"?
If is the "each address pair" imply a pair of a single
address, such as 10.2.16.43 and 18.16.2.123?
2.The sentence "If Alice generated her request in
response to an incoming packet from 10.2.16.43 to
18.16.2.123" puzzles me. As we know, 10.2.16.43 is on
Alice's side and 18.16.2.123 is on Bob's side, but the
word incoming is used here. So i have to think it is
Alice's request that from 10.2.16.43 to 18.16.2.123.
Why do the doc say "there would be no way for Bob to
determine which pair of addresses it is most urgent to
tunnel"?
_________________________________________________________
Do You Yahoo!?
新鲜到底,娱乐到家 - 雅虎推出免费娱乐电子周报!
http://cn.ent.yahoo.com/newsletter/index.html