[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues

To: Stephen Kent <kent@bbn.com>
Subject: Re: 2401bis issues
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Date: Tue, 14 Oct 2003 14:00:36 -0400
Cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 14 Oct 2003 13:28:32 EDT." <p0600200ebbb1e0891e62@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com


In message <p0600200ebbb1e0891e62@[128.89.89.75]>, Stephen Kent writes:
>
>I agree that this is not an interoperability issue, but 2401 
>established a per-interface SPD requirement and I think we now have 
>heard from various folks that this is unduly restrictive. So as part 
>of the revised processing model
>we need to remove the old, 2401 restriction and explain what the new 
>model does and why.

I agree on removing the limitation.

>Tero has pointed out in some private e-mail that this 
>characterization in quotes is not quite right, i.e., IKEv2 does not 
>work this way!  So, we are revising the characterization accordingly. 
>The bottom line is that one can accommodate multiple protocols in a 
>single SPD entry, because the entry really consists of a list of 
>selector sets, each set contains S/D IP address range, ONE protocol 
>(or ANY), and S/D port range.  The "list of ranges" effect is 
>achieved in that fashion.

Correct.
-Angelos

References:
- Re: 2401bis issues
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: IKEv2 Correction (editorial)
Next by Date: Re: Issue 68 ("VPNs with overlapping IP address ranges")
Prev by thread: Re: 2401bis issues
Next by thread: Re: 2401bis issues
Index(es):
- Date
- Thread