Re: [Ipsec] lists of protocols in 2401-bis

[Stephen Kent <kent@bbn.com>]

It is intentional that the "next protocol" selector be an individual 
value (unlike IP addresses) in a selector set entry. this is 
consistent with how IKE v2 negotiates the TS values for an SA. it 
also makes sense because one may need to associate different port 
fields with different protocols.

It is possible to associate multiple protocols (and ports) with a 
single SA by specifying multiple selector sets for that SA. See 
4.4.1.2. The discussion in 4.4.1.1 defines the selectors to be used 
in each selector set.

The table in 4.4.2 is OK, because it is a SAD, not SPD, example, and, 
as noted above, multiple protocols can be associated with an SA, by 
enumerating each in a separate selector set as part of a single SPD 
entry.

Steve


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec