Hi Mike, I'm not sure I completely understand your question.
RFC7296 requires that exactly one TSi payload and exactly one TSr payload are present in IKE_AUTH or CREATE_CHILD_SA exchanges (if the latter doesn't rekey IKE SA). However, both TSi and TSr may contain multiple Traffic Selector substructures.By convention, if SA is being negotiated due to data packet, then the very first Traffic Selectors in TSi and TSr contain specific network information from that packet (Traffic Selector in TSi - source IP address/pprotocol/port, Traffic Selector in TSr - destination IP address/pprotocol/port). The other Traffic Selectors (if any) in TSi/TSr contain specification of additional (wider) traffic that the Initiator thinks is appropriate to send later over the SA being created. The Responder could agree on this or it could narrow this Traffic Selectors in its response. Sometimes Initiators include wildcard traffic selectors in Request allowing Responders to narrow them according to its policy. Hope this helps. Feel free to ask more if you have any concerns. Regards, Valery Smyslov. ----- Original Message ----- From: Michael Christian To: [email protected] Sent: Saturday, November 21, 2015 4:20 AM Subject: [IPsec] RFC 7296 - Internet Key Exchange Protocol Version 2 (IKEv2) Hello, I'm investigating a possible RFC 7296 compliance issue and I was hoping you may be able to shed some light on the RFC for me. In section 2.9 Page 43 regarding multiple traffic selectors: Can two TSi proposals be sent by the initiator every time IKEv2 is negotiated due to a data packet? Or Is the proposal of an unknown traffic selector type required before the initiator can respond with more specific and range TSi's? I appreciate any clarification you may be able to provide. Thank you, Mike Christian Technical Account Manager Fortinet - The New Generation of Secure Gateways 899 Kifer Road | Sunnyvale, CA 94086 | USA ------------------------------------------------------------------------------ *** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. *** ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
