I received this email from Alfred (cc'ed above), who has kindly allowed
me to forwrad this to the dccp list. It asks about the use of IPsec
SPD's with DCCP Service Codes... an interesting question - do others
have ideas on how this should be handled in this I-D?
Gorry
Alfred � wrote:
Hello,
I have a few comments on the Internet-Draft authored by you,
draft-ietf-dccp-serv-codes-06.
(1) IPsec
Recently, a new proposal to add the GRE key as a new selector
to IPsec has been posted (draft-deng-ipsec-gre-key-ts-00).
This has reminded me of once having noticed a potential need
for adding the DCCP service code as a selector to IPsec as well.
Quickly looking for possibly related I-Ds, I stumbled over your I-D.
Section 5.3 of your I-D deals with IPsec, but it seems to be
incompatible in spirit with the description of the intended
use of the DCCP Service Code in the remainder of the document.
I envision that the DCCP Service Code might be an appropriate
selector for the IPsec SPD, in order to initiate specific IPsec
treatment (IPsec SA setup) based on the needs to protect such
service. Conforming to the rules posed in your draft, the SAD
subsequently would have to use the 'classical' transport selector
quintuple {src_IP, dst_IP, proto=DCCP, src_port, dst_port},
and a stateful security gateway would have to trace the life
cycle of DCCP connections to properly tear down dynamically
installed IPsec SAs on DCCP connection termination, to allow for
secure re-use of the quintuple -- perhaps for another DCCP based
service requiring another type/quality of IPsec protection,
as directed by the SPD.
IMHO, this would be the appropriate model for IPsec behavior
to fully support the intended use of the DCCP Service Code.
Have there already been similar considerations to update IPsec?
(2) Editorial
<snip>
All noted editorial issues have been resolved and will appear in the
next rev. of the draft.
Kind regards,
Alfred H�nes.
