At 2:57 PM +1000 7/27/09, Greg Daley wrote:
...
Your reference to 4301 regarding the use of multiple parallel SAs solving
the example is helpful. I will remove the example for clarity.
As Tero noted, RFC 4301 provides a discussion of how an
implementation can, on a local basis, deal with mapping traffic of
different priorities to different SAs, without the need to define
additional traffic selectors. That's why it has not been seen as
necessary to create traffic selectors for this purpose.
My feeling is that the selectors cannot express the case where specific
traffic is to be encrypted/authenticated and others are not though.
For example, if EF and AF31 are to be encrypted but other data is to
travel clear.
Do you think this is sufficiently covered by the current
definitions? This seems
more like your example with regard to protocol numbers.
The protocol number example refers to the fact that we cannot express
protocol number ranges in IKE, and that caused us to remove support
for this feature from IPsec. IO agree with Tero that, going forward,
we should require support for ranges of values for ALL new TS values
that we define.
If you are asking whether IPsec supports a policy where the basis for
protecting traffic is exclusively a DSCP, the answer is no. It also
is not clear that the ability to do so is a real requirement.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
