[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD Syntax Example
At 6:51 +0530 1/24/04, ravivsn@roc.co.in wrote:
>Hi,
> After some thinking, I also feel that providing kind of flexibility
> is good. It is really going to solve the problem
> of creating security tunnel between two sites, having multiple
> subnets, when combined with services.
>
> To support, this kind of flexibility, current TS is not good
> enough. Based on example given, 3000 Traffic Selectors need to
> be sent ( Did I get my math correct? ) which results to 40K of
> data in IKE message.
>
> I could think of two approaches.
> - Provide flexibility in TS, where IP address ranges represented
> independently from Port ranges.
> - TS payload carrying symbolic name
>
> I see that rfc2401bis talks about symbolic name and same can
> be sent in TS to facilitate this.
>
> I hope, IKEv2 can accommodate this.
>
>Thanks
>Ravi
Ravi,
Symbolc names are not sent in payloads. Their use of very
restricted. We'll be explaining more about this in an upcoming
2401bis revision message.
I don't recall the example in detail, but it seems unlikely that, in
practice. one would need to send such a big TS payload. We have
ranges for addresses and one can express any subnet via a range, so
the suggestion to add subnets as a separate type of selector
specification adds no new functionality.
And, as others have mentioned, we're too far along in the process to
make a change of the sort suggested.
Steve