[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for ICMP message type selectors

   Yes. ICMP message type as one of the selectors is very
    helpful. ICMP is not only used to find out the host liveness,
    but also for mobile agent discovery, registration etc. and
    admins would not want to secure all kinds of ICMP packets.

    In general, we seem to be finding the requirements that
    selectors space needs to be increased. ICMP message type
    is one and TOS bits for QoS.

    I feel that we should have some extensible mechanism such that
    when we add new selectors to the protocol (assigned numbers),
    protocol implementation need not change.
    Also, the end users can choose their own selector space that is 
    agreed upon between two SG administrators. For example, 
    there may be a requirement where different SA Bundles are required
    for different RPC program numbers. One way to achieve is to define
    selectors by offset into the protocol headers, length and mask.

Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
----- Original Message ----- 
From: "Stephen Kent" <kent@bbn.com>
To: <ipsec@lists.tislabs.com>
Sent: Wednesday, June 25, 2003 4:43 PM
Subject: IKE negotiation for ICMP message type selectors

> One last selector negotiation suggestion:
> We ought to decide now if there are other fields we want to specify 
> as selectors AND that need to be negotiated (unlike the DiffServ 
> bits). For example, we've had discussion on the list about using ICMP 
> message type fields in lieu of port fields, when ICMP was the payload.
> What do people think, and why?
> Steve