[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic Selectors
Although I have to admit I get confused if I haven't read the text
about selectors within the last day or so, and text like:
"TSi specifies the source address of traffic forwarded from (or the
destination address of traffic forwarded to) the initiator of the
child-SA pair."
gives me a headache, I haven't proposed alternative text because once
I read it carefully it starts making sense to me again, and I can't
think of a better way to say it.
But at any rate, I think it is correct. Let's look at traffic
from Alice to Bob, where Alice has proposed 3 selectors for TSi and
2 selectors for TSr. For instance, address ranges {51*, 892*, and 44*}
for TSi and address ranges {99*, 12*} for TSr.
That would mean that for traffic from Alice to Bob, the source address
can be anything starting with 51, 892, or 44, and the destination can
be anything starting with 99 or 12.
It does NOT mean that the traffic selectors are paired, in the sense
that traffic has to be (Source=51*, Dest=99*) OR (Source=892*, dest=12*)...
If that were the case, you're right...there would need to be the same
number of selectors in TSi and TSr.
But the way it's specified, as long as the source on traffic
from Alice to Bob is included in ANY of the traffic selectors in TSi,
and the destination is included in ANY of the traffic selectors in TSr,
then it's legal.
Radia
From: "David Faucher" <dfaucher@lucent.com>
draft-ietf-ipsec-ikev2-03.txt:
Due to the fact that TS payloads allow multiple traffic
selectors and because each direction has its own payload,
it is possible to specify some very strange (and difficult
to interpret) traffic selectors. For instance, what does
it mean when TSi has 3 traffic selectors while TSr has 2.
I would guess that some implementations would have trouble
handling asymmetric traffic selectors?
Is there too much flexibility here? Does there need to
be some restrictions on what can be sent?
David