[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on SA Bundle

To: kent@bbn.com
Subject: Re: Question on SA Bundle
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Tue, 15 Apr 2003 01:04:46 +0300
CC: ipsec@lists.tislabs.com
In-reply-to: <p0510030ebac0c7c1bc6d@[128.89.88.34]> (message from Stephen Kenton Mon, 14 Apr 2003 16:42:03 -0400)
References: <p05100329baba50233f80@[128.89.88.34]><200304141936.h3EJaoI3008229@burp.tkv.asdf.org> <p0510030ebac0c7c1bc6d@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Oh, I need to expand my example a bit. I said

  "protocol = tcp" -> "use different SA-pair for each connection"

and got from values extracted from the packet

  TS for SA: protocol=tcp, src_port=x, dst=port=y

Before someone says: "but IKEv2 has address and port ranges! Your
implementation does not support those, if it just extracts values from
packet!"

Answer: it's all in the local policy definition. It can use any
suitable method of mapping the packet into TS data. Even, actually
using the SPD selector ranges.

  "address-range" -> "use SA with matched address-range"

and TS would contain the address range (instead of single
address). But the key issue is: IKE does not need to know about
this. It would just see the TS.

References:
- Re: Question on SA Bundle
  - From: Stephen Kent <kent@bbn.com>
- Re: Question on SA Bundle
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Question on SA Bundle
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Question on SA Bundle
Next by Date: RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Prev by thread: Re: Question on SA Bundle
Next by thread: Ready for IETF last call: draft-ietf-ipsec-ciph-aes-ctr-03.txt
Index(es):
- Date
- Thread