[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue #69 -- Multiple protocols per SPD entry
Hi,
I feel the proposed solution can be extended to support 'Port range'.
Today, we have facility to negotiate a port or all ports. Adding 'port
range'
in Security Policy and providing a way to negotiate through IKE will solve
some practical problems.
Regards
Ravi
> ----- Original Message -----
> From: "Karen Seo" <kseo@bbn.com>
> To: "ipsec mailingList" <ipsec@lists.tislabs.com>
> Cc: <byfraser@cisco.com>; <tytso@mit.edu>; "Angelos D. Keromytis"
<angelos@cs.columbia.edu>; <kivinen@ssh.fi>; <kseo@bbn.com>
> Sent: Friday, September 12, 2003 5:27 PM
> Subject: 2401bis Issue #69 -- Multiple protocols per SPD entry
>
>
> > Folks,
> >
> > Here's a description and proposed approach for:
> >
> > IPsec Issue #: 69
> >
> > Title: Multiple protocols per SPD entry
> >
> > Description:
> > ============
> > How does one SPD entry cover multiple protocols associated with one
> > port, e.g., TCP/NFS and UDP/NFS?
> >
> >
> > Proposed approach:
> > ==================
> > The addition of support for lists of ranges of selectors (Issue #47)
> > in an SPD entry allows a single port (e.g., a well-known port) to be
> > used with multiple protocols, on the same SA. It also allows multiple
> > ports under the same protocol to be mapped to one SA, etc. Note,
> > however, that this capability does not permit an SPD entry to specify
> > that different ports in a list are to be used with different
> > protocols. Thus, for example, if an SPD entry contains a list with
> > both TCP and UDP, and the entry contains destination ports A & B,
> > then TCP and UDP traffic for either port will be acceptable for the
> > resulting SA.
> >
> >
> > Thank you,
> > Karen >
The Views Presented in this mail are completely mine. The company is not
responsible for what so ever.
----------
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA
ROC HOME PAGE:
http://www.roc.co.in