[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

next pass at SPD syntax

To: ipsec@lists.tislabs.com
Subject: next pass at SPD syntax
From: Stephen Kent <kent@bbn.com>
Date: Mon, 26 Jan 2004 16:31:56 -0500
Sender: owner-ipsec@lists.tislabs.com

Folks,

I made changes based on suggestions from Tero, and added descriptions 
for drop/bypass entries vs. protect (IPsec) entries. I put in the PFP 
flags, which apply to ALL corresponding traffic selectors 
(directionally) in an entry, or to none, for simplicity. I also put 
in Names, for matching against the IKE ID payload, plus the 
parameters needed to define the protection afforded IPsec SAs (mode, 
sequence number size, protocol, and algorithms).

Steve
-------


SPD ::= SEQUENCE of SPDEntry			-- List of SPD Entries

SPDEntry ::=	CHOICE (
			iPsecEntry	IPsecEntry, -- protect traffic
			bypassOrDrop	BypassOrDropEntry } -- drop/bypass

IpsecEntry ::=  SEQUENCE {		-- Each entry consist of
	name		SET OF GeneralName OPTIONAL,
				--  for matching against IKE ID payload
	source		TrafficSelectorList,	-- source and
	destination	TrafficSelectorList,	-- destination selector lists
	processing	SEQUENCE {
				mode	BOOELAN,
					 -- TRUE = transport, FALSE = tunnel
				extSeqNum	BOOLEAN,
					 -- TRUE = 64 bit, FALSE = 32 bit
				CHOICE {
					aH	integrityAlgs,
					eSP	SEQUENCE {
						integrityAlgs,
						confidentialityAlgs} } }

BypassOrDropEntry ::= SEQUENCE {
	action		BOOLEAN,	-- TRUE = bypass, FALSE = drop
	outbound  [0]	SelectorList,	OPTIONAL, -- both may be present
	inbound   [1]	SelectorList 	OPTIONAL ) -- or just one of them


TrafficSelectorList ::= SET OF SEQUENCE {
		pFP	BIT STRING {
			-- applies to ALL of the corresponding 
traffic selectors
		addrFlag		(0),
		protocolFlag		(1),
		portFlag		(2) }
		trafficSelector		TrafficSelector }


TrafficSelector ::= SEQUENCE {
			-- either source or destination selector
		addr		IPRange,
		protocol	INTEGER,	-- 8 bits
		next CHOICE {
			ports	SEQUENCE {
				portStart	INTEGER, -- 16 bits
				portEnd }	INTEGER, -- 16 bits
			mobilityHeader	INTEGER, -- 16 bits
			ICMP [0] SEQUENCE {
				typeStart	INTEGER,	-- 8 bits
				codeStart	INTEGER,	-- 8 bits
				typeEnd		INTEGER,	-- 8 bits
				codeEnd		INTEGER } } }	-- 8 bits

SeletorList ::= SEQUENCE {
		source		Addr
		destination	Addr
		protocol	INTEGER  -- 8 bits
		next CHOICE {
			ports	SEQUENCE {
				portStart	INTEGER, -- 16 bits
				portEnd }	INTEGER, -- 16 bits
			mobilityHeader	INTEGER, -- 16 bits
			ICMP [0] SEQUENCE {
				typeStart	INTEGER, -- 8 bits
				codeStart	INTEGER, -- 8 bits
				typeEnd		INTEGER, -- 8 bits
				codeEnd		INTEGER } } } -- 8 bits


IPRange	::=	CHOICE {
			v4range		SEQUENCE {
						start	INTEGER, -- 32 bits
						end	INTEGER } -- 32 bits
			v6range [0]	SEQUENCE {
						start	INTEGER, -- 128 bits
						end	INTEGER } } -- 128 bits

IntegrityAlgs ::= 	SEQUENCE OF AlgorithmIdentifier - list 
ordered by preference
ConfidentialityAlgs ::=	SEQUENCE OF AlgorithmIdentifier - list 
ordered by preference

AlgorithmIdentifier  ::=  SEQUENCE  {
         algorithm               OBJECT IDENTIFIER,
         parameters              ANY DEFINED BY algorithm OPTIONAL  }

Prev by Date: Re: SPD name entries & IKE
Next by Date: RE: an SPD syntax example
Previous by thread: Re: SPD Syntax Example
Next by thread: Issue #88: Lift the prohibition on red-side fragmentation by SG, BITS, BITW
Index(es):
- Date
- Thread