Re: [IPsec] New draft about issues in alternative Traffic Selectors in IPSec/IKEv2
Stephen Kent <kent@bbn.com> Mon, 27 July 2009 15:20 UTC
Return-Path: <kent@bbn.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB5B928C1B9 for <ipsec@core3.amsl.com>; Mon, 27 Jul 2009 08:20:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.516
X-Spam-Level:
X-Spam-Status: No, score=-2.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9oZsObGyvNM for <ipsec@core3.amsl.com>; Mon, 27 Jul 2009 08:20:27 -0700 (PDT)
Received: from mx3.bbn.com (mx3.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 1DC5F3A6AD4 for <ipsec@ietf.org>; Mon, 27 Jul 2009 08:20:27 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[78.64.88.74]) by mx3.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1MVRzo-0000wl-B3; Mon, 27 Jul 2009 11:20:12 -0400
Mime-Version: 1.0
Message-Id: <p06240802c692ff4b4807@[78.64.88.74]>
In-Reply-To: <BAY114-W3933A2D1014068248CD9B2AD140@phx.gbl>
References: <BAY114-W46C914B413819B5E72C1DCAD2D0@phx.gbl> <19051.12163.335927.934631@fireball.kivinen.iki.fi> <BAY114-W3933A2D1014068248CD9B2AD140@phx.gbl>
Date: Mon, 27 Jul 2009 11:20:09 -0400
To: Greg Daley <hoskuld@hotmail.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: ipsec@ietf.org, kivinen@iki.fi
Subject: Re: [IPsec] New draft about issues in alternative Traffic Selectors in IPSec/IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2009 15:20:27 -0000
At 2:57 PM +1000 7/27/09, Greg Daley wrote: ... >Your reference to 4301 regarding the use of multiple parallel SAs solving >the example is helpful. I will remove the example for clarity. As Tero noted, RFC 4301 provides a discussion of how an implementation can, on a local basis, deal with mapping traffic of different priorities to different SAs, without the need to define additional traffic selectors. That's why it has not been seen as necessary to create traffic selectors for this purpose. >My feeling is that the selectors cannot express the case where specific >traffic is to be encrypted/authenticated and others are not though. >For example, if EF and AF31 are to be encrypted but other data is to >travel clear. > >Do you think this is sufficiently covered by the current >definitions? This seems >more like your example with regard to protocol numbers. The protocol number example refers to the fact that we cannot express protocol number ranges in IKE, and that caused us to remove support for this feature from IPsec. IO agree with Tero that, going forward, we should require support for ranges of values for ALL new TS values that we define. If you are asking whether IPsec supports a policy where the basis for protecting traffic is exclusively a DSCP, the answer is no. It also is not clear that the ability to do so is a real requirement. Steve
- [IPsec] New draft about issues in alternative Tra… Greg Daley
- [IPsec] New draft about issues in alternative Tra… Tero Kivinen
- Re: [IPsec] New draft about issues in alternative… Greg Daley
- Re: [IPsec] New draft about issues in alternative… Stephen Kent
- Re: [IPsec] New draft about issues in alternative… Greg Daley