Re: an SPD syntax example

[Tero Kivinen <kivinen@iki.fi>]

vamsi writes:
>     I felt that original SPD syntax is good, which provides very good
>     flexibility and ease of administering the policies in large enterprise
>     environments.

The SPD format described in the RFC2401bis is going to be example SPD,
which gives out the minimal requirements for the SPD to support.
Implementations can implement any kind of compressed / optimized SPDs
as long as they can express same thing that the minimalistic example
SPD in the RFC2401bis can express. 

>     Consider that, there are 50 discrete subnets in an organization and
>     the security needs to be applied for port 25, port 80 and port 110.
>     With the original approach (ASN1), proposed by Steve, it only requires
>     configuration of 50 ranges of IP addresses, 3 ranges of Ports and
>     put them in one Selector list.

So implement it as subnets and compressed source and destination
addresses. You can still "convert" that to the basic format meaning,
that anyone from the outside cannot really see which format you are
using. 

> If we go with this approach, some changes to 'Traffic Selector' in IKEv2 
> are required.
> It means that, each traffic Selector should be able to accommodate
>         Number of IP address ranges
>         <all IP address ranges>
>          Protocol
>          Number of Port ranges
>          <all Port ranges>

No. I think it is way too late to make that kind of changes to IKEv2,
and also I think the current format is so much simplier and easier to
parse, that we can live with the few extra bytes for that kind of
cases. 
-- 
kivinen@safenet-inc.com