[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ordered and unordered SPD in draft-ietf-ipsec-rfc2401bis-01
Karen, Steve,
In draft-ietf-rfc2401bis-01, the description of the processing
model is very confusing. The problem is that is keeps switching
between two different representations of the SPD:
(a) An ordered SPD, which may contain overlapping entries
(b) An unordered SPD, which must not contain overlapping entries
So we have:
[page 16] "The SPD is an ordered database,..." - ordered SPD
[page 17] "An SPD is logically divided into three pieces, all of
which should be decorrelated ..." - unordered SPD
[page 17] "The management interface for the SPD ... MUST support
(total) ordering of these entries, as seen via this interface."
- ordered SPD
It seems as though the description of packet processing is based on an
UNordered SPD; implementors may at their discretion implement it either
as an ordered or an unordered datastructure; and as a conformance
requirement, the management user interface MUST present the user with
the appearance of an ordered SPD, using the Annex B algorithm to translate
if necessary.
I appreciate that technical changes are unwelcome at this point, but I thought
I ought to try and explain why the current text is confusing.
Cheers,
Mike