[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD Syntax Example



At 6:51 +0530 1/24/04, ravivsn@roc.co.in wrote:
>Hi,
>   After some thinking, I also feel that providing kind of flexibility
>   is good. It is really going to solve the problem
>   of creating security tunnel between two sites, having multiple
>   subnets, when combined with services.
>
>   To support, this kind of flexibility, current TS is not good
>   enough. Based on example given, 3000 Traffic Selectors need to
>   be sent ( Did I get my math correct? ) which results to 40K of
>   data in IKE message.
>
>   I could think of two approaches.
>   - Provide flexibility in TS, where IP address ranges represented
>     independently from Port ranges.
>   - TS payload carrying symbolic name
>
>   I see that rfc2401bis talks about symbolic name and same can
>   be sent in TS to facilitate this.
>
>   I hope, IKEv2 can accommodate this.
>
>Thanks
>Ravi

Ravi,

Symbolc names are not sent in payloads.  Their use of very 
restricted.  We'll be explaining more about this in  an upcoming 
2401bis revision message.

I don't recall the example in detail, but it seems unlikely that, in 
practice. one would need to send such a big TS payload. We have 
ranges for addresses and one can express any subnet via a range, so 
the suggestion to add subnets as a separate type of selector 
specification adds no new functionality.

And, as others have mentioned, we're too far along in the process to 
make a change of the sort suggested.

Steve