[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for ICMP message type selectors
Hi,
Yes. ICMP message type as one of the selectors is very
helpful. ICMP is not only used to find out the host liveness,
but also for mobile agent discovery, registration etc. and
admins would not want to secure all kinds of ICMP packets.
In general, we seem to be finding the requirements that
selectors space needs to be increased. ICMP message type
is one and TOS bits for QoS.
I feel that we should have some extensible mechanism such that
when we add new selectors to the protocol (assigned numbers),
protocol implementation need not change.
Also, the end users can choose their own selector space that is
agreed upon between two SG administrators. For example,
there may be a requirement where different SA Bundles are required
for different RPC program numbers. One way to achieve is to define
selectors by offset into the protocol headers, length and mask.
Srini
Intoto Inc.
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message -----
From: "Stephen Kent" <kent@bbn.com>
To: <ipsec@lists.tislabs.com>
Sent: Wednesday, June 25, 2003 4:43 PM
Subject: IKE negotiation for ICMP message type selectors
> One last selector negotiation suggestion:
>
> We ought to decide now if there are other fields we want to specify
> as selectors AND that need to be negotiated (unlike the DiffServ
> bits). For example, we've had discussion on the list about using ICMP
> message type fields in lieu of port fields, when ICMP was the payload.
>
> What do people think, and why?
>
> Steve
>
>