[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors in IKEv2

To: "Charlie Kaufman" <charliek@microsoft.com>, <ipsec@lists.tislabs.com>
Subject: Re: Traffic selectors in IKEv2
From: "Mohan Parthasarathy" <mohanp@sbcglobal.net>
Date: Fri, 20 Feb 2004 17:24:49 -0800
References: <01ac01c3f817$3d5da770$eb1167c0@adithya>
Sender: owner-ipsec@lists.tislabs.com

Charlie,
 
> My reading of the spec is that this is allowed, and I can imagine it
> being useful. If I as a road warrior tunnel into my corporate network
> and want all of my internet traffic to be routed through the corporate
> network in order to protected by its firewall, I would want to tunnel
> all addresses.
> 
In this case, the road warrior would use TSr with the selector that encompasses
all addresses ("all-traffic") and TSi as its own address allocated earlier in the
CFG request.

I wanted to know about the TSi. Can TSi contain the "all-traffic" selector ?
This is useful for other VPN cases e.g. PPVPNs. In this case, you need
other mechanisms to direct traffic to the right tunnel. In the road warrior case
SG would use the road warrior's address to direct packets to the tunnel.
So, can TSi and TSr contain "all-traffic" selector ? I assume that the
spec itself does not preclude this. But the peer may refuse to accept (or trim) such
a selector. Is that right ?

-thanks
mohan


> Stretching my imagination only a little further, I can imagine wanting
> multiple SAs to separate voice and data traffic (because the network
> might do some different QOS for the two kinds of traffic).
> 
> --Charlie
> 
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Mohan Parthasarathy
> Sent: Friday, February 20, 2004 10:34 AM
> To: ipsec@lists.tislabs.com
> Subject: Traffic selectors in IKEv2
> 
> I have a couple of questions on the Traffic selectors in IKEv2.
> 
> 1) Traffic selectors allow a range of addresses. Is the range
> encompassing all the addresses
>     from 0 to 255.255.255.255 valid (similarly for IPv6) ? Nothing in
> the spec seems to
>     preclude it.
> 
> 2) IKEv2 specifically allows multiple IPsec SAs to co-exist (and be
> used) for the same traffic
>     selector between same endpoints. i would assume that multiple SAs
> for the selectors specifying
>    all the addresses is still possible between the same endpoints. Is
> that allowed ?
> 
> thanks
> mohan

Prev by Date: RE: Traffic Selectors (was SA fragments)
Next by Date: Re: [Cfrg] Re: Changing the key deriveration
Previous by thread: RE: Traffic selectors in IKEv2
Next by thread: Re: Fwd: Certicom IP Rights
Index(es):
- Date
- Thread