[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

an SPD syntax example

To: Stephen Kent <kent@bbn.com>
Subject: an SPD syntax example
From: Tero Kivinen <kivinen@iki.fi>
Date: Thu, 22 Jan 2004 04:03:45 +0200
Cc: ipsec@lists.tislabs.com
In-reply-to: <p06020408bc348537cc7f@[128.89.89.75]>
Organization: Helsinki University of Technology
References: <p06020408bc348537cc7f@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
> Comments welcome, other than those arguing for use of another syntax :-)
> 
> SPD ::= SEQUENCE of SPDEntry
> 
> SPDEntry ::= SET OF SelectorSet
> 
> SelectorSet ::= SEQUENCE {
> 	sourceAddr	AddrList,
> 	destAddr	AddrList,

Why are these AddrList types? Why not simply AddrOrList, or actually
even better remove AddrList, AddrOrList, IPaddr and change this to
IPRange, and add comment to IPRange saying that if start == end then
it is single address (==IPaddr). As this is explaining the minimal
SPD, I think it should really be minimal, and it should not do
optimizations where we save 4/16 bytes by not expressing IPaddr as
IPRange constructs, or by having less SelectorSets by allowing each
list have list of ranges, instead of having multiple SelectorSets each
having one range. The bad thing is that now we have two different ways
to express same thing:

SPDEntry = {
	 SelectorSet = {
		     sourceAddr = { 10.0.0.1, 10.0.0.5 }
		     destAddr = { 10.0.2.1 }
		     ... rest omitted
	 }
}

and

SPDEntry = {
	 SelectorSet = {
		     sourceAddr = { 10.0.0.1 }
		     destAddr = { 10.0.2.1 }
		     ... rest omitted
	 }
	 SelectorSet = {
		     sourceAddr = { 10.0.0.5 }
		     destAddr = { 10.0.2.1 }
		     ... rest omitted
	 }
}

of course when the number of items in the list grows then the
combinatory explosion will create huge number of SPDEntry items, but
on the other hand this is simply explaining minimal format for the
SPD, real SPDs will propably have more compressed formats anyways. 

In IKEv2 you still need to convert the IPaddr to IPRange before using
it in the traffic selector.

Also in the IKEv2 there is no construct of AddrList at all, we have
two lists (source and destination) of Traffic Selectors (==
SelectorSet), each having on start and end addresses (IPRange), and
port range.

Because in the IKEv2 we do have separate source and destination lists,
it will remove the combinatory explosion, thus the same example can be
expressed as (using the format described in the end of this email):

SPDEntry = {
	 source = {
		TrafficSelector = { Addr = 10.0.0.1-10.0.0.1, ... }
		TrafficSelector = { Addr = 10.0.0.5-10.0.0.5, ... }
	 }
	 destination = {
		TrafficSelector = { Addr = 10.0.2.1-10.0.2.1, ... }
	 }
}

> 	protocol	INTEGER,	-- 8 bits
> 	next CHOICE {
> 		ports	SEQUENCE {
> 				SourcePort	INTEGER, -- 16 bits
> 				DestPort }	INTEGER, -- 16 bits

This should be range of ports not single port. IKEv2 allows port
ranges. 

> 		mobilityHdr	INTEGER, -- 16 bits

This is not yet negotiable by the IKEv2. 

> 		ICMP [0] SEQUENCE {
> 			type	INTEGER,	-- 8 bits
> 			code	INTEGER } }	-- 8 bits

This is also type and code range in IKEv2. Also one closing } is
missing (matchintg the SelectorSet sequence). 

> AddrList ::=  SET OF AddrOrList

This is not possible in the IKEv2. I assume this is union of all
ranges, and this can be combined with any source and destination
pairs? 

> AddrOrList ::= CHOICE {
> 			iPAddr	IPaddr 	-- individual IP address
> 			range	IPRange} -- IP address range
> 
> IPaddr	::= CHOICE {
> 			v4Addr		INTEGER, -- 32 bits
> 			v6Addr [0] 	INTEGER } -- 128 bits
> 
> IPRange	::=	CHOICE {
> 			v4range		SEQUENCE {
> 						start	INTEGER, -- 32 bits
> 						end	INTEGER } -- 32 bits
> 			v6range [0]	SEQUENCE {
> 						start	INTEGER, -- 128 bits
> 						end	INTEGER } } -- 128 bits

Using same syntax the actual TrafficSelector which can be expressed in
the IKEv2 is:

SPD ::= SEQUENCE of SPDEntry			-- List of SPD Entries

SPDEntry ::= SEQUENCE {				-- Each entry consist of
	source		TrafficSelectorList,	-- source and 
	destination	TrafficSelectorList }	-- destination selectorlists

TrafficSelectorList ::= SET OF TrafficSelector	-- Each selectorList
						-- is list of selectors

TrafficSelector ::= SEQUENCE {			-- either source or
						-- destination selector
	Addr		IPRange,
	protocol	INTEGER,	-- 8 bits
	next CHOICE {
		ports	SEQUENCE {
				portStart	INTEGER, -- 16 bits
				portEnd }	INTEGER, -- 16 bits
		ICMP [0] SEQUENCE {
			typeStart	INTEGER,	-- 8 bits
			codeStart	INTEGER,	-- 8 bits
			typeEnd		INTEGER,	-- 8 bits
			codeEnd		INTEGER } } }	-- 8 bits

IPRange	::=	CHOICE {
			v4range		SEQUENCE {
						start	INTEGER, -- 32 bits
						end	INTEGER } -- 32 bits
			v6range [0]	SEQUENCE {
						start	INTEGER, -- 128 bits
						end	INTEGER } } -- 128 bits
-- 
kivinen@safenet-inc.com

Follow-Ups:
- Re: an SPD syntax example
  - From: Stephen Kent <kent@bbn.com>

References:
- an SPD syntax example
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SPD name entries & IKE
Next by Date: Re: an SPD syntax example
Previous by thread: an SPD syntax example
Next by thread: Re: an SPD syntax example
Index(es):
- Date
- Thread