[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: an SPD syntax example
> ---------
>
> SPD ::= SEQUENCE of SPDEntry
>
> SPDEntry ::= SET OF SelectorSet
>
> SelectorSet ::= SEQUENCE {
> sourceAddr AddrList,
> destAddr AddrList,
> protocol INTEGER, -- 8 bits
> next CHOICE {
> ports SEQUENCE {
> SourcePort INTEGER, -- 16 bits
> DestPort } INTEGER, -- 16 bits
Range of ports can be allowed.
> mobilityHdr INTEGER, -- 16 bits
> ICMP [0] SEQUENCE {
> type INTEGER, -- 8 bits
> code INTEGER } } -- 8 bits
>
> AddrList ::= SET OF AddrOrList
It is better to make this as close to IKEv2 Traffic Selector as
possible. Based on that, each IP address range should be combined with
Protocol/Port Range. This ASN1 description seems to be creating a set with
multiple IP address ranges to a single Protocol and Port (Range).
AddrList ::= AddrOrRangeOrSubnet
>
> AddrOrList ::= CHOICE {
> iPAddr IPaddr -- individual IP address
> range IPRange} -- IP address range
Above should become
AddrOrRangeOrSubnet ::= CHOICE {
ipAddr IPaddr
range IPRange
subnet subNet
}
>
> IPaddr ::= CHOICE {
> v4Addr INTEGER, -- 32 bits
> v6Addr [0] INTEGER } -- 128 bits
>
> IPRange ::= CHOICE {
> v4range SEQUENCE {
> start INTEGER, -- 32 bits
> end INTEGER } -- 32 bits
> v6range [0] SEQUENCE {
> start INTEGER, -- 128 bits
> end INTEGER } } -- 128 bits
Internally, subnet and IPAddr should be converted to range, if IKEv2 is
used for key management.