[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for ICMP message type selectors
> itojun commented...
> > we will need to do this every time new protocol becomes available.
> > i guess we should make the concept of "selector" more generic.
> > (for KAME implementation i'm thinking of switching to BPF-based policy)
> I agree that some extensible mechanism is needed. Selectors form a tree
> (or maybe lattice if one wants to simplify "reuse"). I do not think that
> this is a problem that the current IPsec working group will have as a
> work item, and not before IKEv2 advances. Obvious issues are "complexity"
> of the packet parsing/description language (of which BPF is an example),
> and whether the concept or implementations introduce unacceptable risks.
>=> OpenBSD has an unified filtering/classifying stuff which can (should!)
>be used for QoS (aka ALTQ), IPsec and firewall.
actually yesterday i changed my mind and working on PF-based policy
lookup. stay tuned (but i need to think about IKE-interaction more...