[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for ICMP message type selectors

>   itojun commented...
>   >  we will need to do this every time new protocol becomes available.
>   >  i guess we should make the concept of "selector" more generic.
>   >  (for KAME implementation i'm thinking of switching to BPF-based policy)
>   I agree that some extensible mechanism is needed.  Selectors form a tree
>   (or maybe lattice if one wants to simplify "reuse"). I do not think that
>   this is a problem that the current IPsec working group will have as a
>   work item, and not before IKEv2 advances.  Obvious issues are "complexity"
>   of the packet parsing/description language (of which BPF is an example),
>   and whether the concept or implementations introduce unacceptable risks.
>=> OpenBSD has an unified filtering/classifying stuff which can (should!)
>be used for QoS (aka ALTQ), IPsec and firewall.

	actually yesterday i changed my mind and working on PF-based policy
	lookup.  stay tuned (but i need to think about IKE-interaction more...
	hi, sakane-san!)