[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Traffic selectors in IKEv2



My reading of the spec is that this is allowed, and I can imagine it
being useful. If I as a road warrior tunnel into my corporate network
and want all of my internet traffic to be routed through the corporate
network in order to protected by its firewall, I would want to tunnel
all addresses.

Stretching my imagination only a little further, I can imagine wanting
multiple SAs to separate voice and data traffic (because the network
might do some different QOS for the two kinds of traffic).

	--Charlie

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Mohan Parthasarathy
Sent: Friday, February 20, 2004 10:34 AM
To: ipsec@lists.tislabs.com
Subject: Traffic selectors in IKEv2

I have a couple of questions on the Traffic selectors in IKEv2.

1) Traffic selectors allow a range of addresses. Is the range
encompassing all the addresses
    from 0 to 255.255.255.255 valid (similarly for IPv6) ? Nothing in
the spec seems to
    preclude it.

2) IKEv2 specifically allows multiple IPsec SAs to co-exist (and be
used) for the same traffic
    selector between same endpoints. i would assume that multiple SAs
for the selectors specifying
   all the addresses is still possible between the same endpoints. Is
that allowed ?

thanks
mohan