Hi Paul, To express all ICMP[v6] types and codes, you would use a start port value of 0 (0x00:00), and an end port value of 65535 (0xFF:FF).
To express all MIPv6 types, you would use a start port value of 0 (0x00:00), and an end port value of 65280 (0xFF:00). Scott Moonen ([email protected]) Secure Hybrid Cloud and z/OS Communications Server http://www.linkedin.com/in/smoonen From: Paul Wouters <[email protected]> To: [email protected] Date: 2012-02-22 16:50 Subject: [IPsec] (IKEv2) ICMP traffic selector question on ICMP Sent by: [email protected] Hi, I am wondering how to set the traffic selector to allow "all icmp" http://tools.ietf.org/html/rfc5996#section-3.13.1 Start Port (2 octets, unsigned integer) - Value specifying the smallest port number allowed by this Traffic Selector. For protocols for which port is undefined (including protocol 0), or if all ports are allowed, this field MUST be zero. ICMP and ICMPv6 Type and Code values, as well as Mobile IP version 6 (MIPv6) mobility header (MH) Type values, are represented in this field as specified in Section 4.4.1.1 of [IPSECARCH]. ICMP Type and Code values are treated as a single 16-bit integer port number, with Type in the most significant eight bits and Code in the least significant eight bits. MIPv6 MH Type values are treated as a single 16-bit integer port number, with Type in the most significant eight bits and the least significant eight bits set to zero. If I use the above description, I would set the protocol to 1, but I cannot set startport to 0, as that would mean to only allow Type 0 with Code 0, which means "ICMP Reply"? The text is further confusing because it states "this field MUST be zero" for portless protocols, and then immediately breaks that rule by stating what I think is an exception to that rule? Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
