[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec issue #47 -- selectors can be a list of ranges

To: ipsec@lists.tislabs.com
Subject: IPsec issue #47 -- selectors can be a list of ranges
From: Karen Seo <kseo@bbn.com>
Date: Mon, 25 Aug 2003 23:13:17 -0400
Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi, kseo@bbn.com
Sender: owner-ipsec@lists.tislabs.com

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	47

Title:		All selectors can be a list of ranges, per IKEv2 spec

Description:	A list of ranges is now supported by IKEv2 for all
		non-symbolic selector types.  The IPsec architecture
		document needs to be brought into alignment with IKEv2.

Proposed approach:

      1. Update selector section to indicate that:

	"For all non-symbolic selector types, selector values may be a
	a single value, a list of values, a range, a list of ranges,
	or any combination of these."

      2. Add text about the SPD along the lines of:

	The SPD contains an ordered list of policy entries.  Each policy
	entry is keyed by one or more selectors that define the set of
	IP traffic to which this policy entry applies.  (The required
	selector types are defined in Section x.x.x.)  The SPD MUST
	permit a security administrator to specify the values for each
	non-symbolic selector type to be specified as a list of ranges.
	In this fashion one may represent an individual value (a list
	consisting of one entry which represents a trivial range), an
	enumerated list of individual values, a single range entry, a
	list or ranges, or any combination of these.  This will enable
	policies to be specified that, for example, support use of a
	single SA to carry traffic for multiple protocols. Note that
	this text describes the representation in the SPD that maps
	into IKE payloads. The management GUI can offer the user other
	forms of data entry and display, e.g., the option of using
	address masks as well as ranges not representable by a mask,
	and symbolic names for protocols, ports, etc. (Do not confuse
	the use of symbolic names in a management interface with the
	reference to symbolic SPD selector types.) If the reserved,
	symbolic selector value OPAQUE is employed for a given selector
	type, only it may appear in the list for that type, and it must
	appear only once in the list for that type.

Open Question for the WG:
      a. How many values per SPD selector type entry should an
	implementation support?

Thank you,
Karen

Prev by Date: Re: ICMP Parameter Problem Message.
Next by Date: Re: IKEv2 SA rekeying - naming an initial SA
Prev by thread: Re: ICMP Parameter Problem Message.
Next by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Index(es):
- Date
- Thread