[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: an SPD syntax example



> ---------
>
> SPD ::= SEQUENCE of SPDEntry
>
> SPDEntry ::= SET OF SelectorSet
>
> SelectorSet ::= SEQUENCE {
> 	sourceAddr	AddrList,
> 	destAddr	AddrList,
> 	protocol	INTEGER,	-- 8 bits
> 	next CHOICE {
> 		ports	SEQUENCE {
> 				SourcePort	INTEGER, -- 16 bits
> 				DestPort }	INTEGER, -- 16 bits
Range of ports can be allowed.

> 		mobilityHdr	INTEGER, -- 16 bits
> 		ICMP [0] SEQUENCE {
> 			type	INTEGER,	-- 8 bits
> 			code	INTEGER } }	-- 8 bits
>
> AddrList ::=  SET OF AddrOrList

It is better to make this as close to IKEv2 Traffic Selector as
possible. Based on that, each IP address range should be combined with
Protocol/Port Range. This ASN1 description seems to be creating a set with
multiple IP address ranges to a single Protocol and Port (Range).

AddrList ::= AddrOrRangeOrSubnet

>
> AddrOrList ::= CHOICE {
> 			iPAddr	IPaddr 	-- individual IP address
> 			range	IPRange} -- IP address range

Above should become
AddrOrRangeOrSubnet ::= CHOICE {
                         ipAddr IPaddr
                         range IPRange
                         subnet subNet
                      }
>
> IPaddr	::= CHOICE {
> 			v4Addr		INTEGER, -- 32 bits
> 			v6Addr [0] 	INTEGER } -- 128 bits
>
> IPRange	::=	CHOICE {
> 			v4range		SEQUENCE {
> 						start	INTEGER, -- 32 bits
> 						end	INTEGER } -- 32 bits
> 			v6range [0]	SEQUENCE {
> 						start	INTEGER, -- 128 bits
> 						end	INTEGER } } -- 128 bits

Internally, subnet and IPAddr should be converted to range, if IKEv2 is
used for key management.