[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [Ipsec] Intent of couple of attributes in Configuration Payload
From: Tero Kivinen <kivinen () iki ! fi>
Date: 2004-11-22 11:28:53
Message-ID: 16801.52597.194078.620156 () fireball ! kivinen ! iki ! fi
[Download RAW message or body]
Mohan Parthasarathy writes:
> > I.e. the server might have configuration where it has two subnets
> > 10.2.3.0/24 and 10.2.6.0/24 which is serves out to the clients. It can
> > also have policy which says that each of those subnets needs to be
> > carried through separate SA because of the policy reason. So when
> > client first contacts and gives TSr having two entries
> > 10.2.6.6-10.2.6.6 and 0.0.0.0-255.255.255.255 (the first matching the
> > actual data in the packet), the server can reply with the TSr
> > 10.2.6.0-10.2.6.255, and with configuration payload SUBNETs listing
> > both 10.2.3.0/24 and 10.2.6.0/24. This way client can know that it can
> > reach 10.2.3.0 also throught the gateway, but he needs to create
> > separate SA for it.
>
> Wow! Is this common knowledge ?
Yes, I think it is.
> Does this mean the IKev2 spec is underspecified for these ?
I do not think so.
> How can one possibly infer this from the IKev2 spec ?
The IKEv2 spec is quite clear how to format TS and SUBNETs listing. It
does also specify how they are used (TS = selectors for this SA,
SUBNETS = all subnets accessable through this gateway), so I think it
is simply obvious how to use them together, even when it is not
explicitly mentioned in the document.
--
kivinen@safenet-inc.com
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic