On Nov 16, 2011, at 3:38 PM, Tero Kivinen wrote: > Frederic Detienne writes: >>> Frederic Detienne writes: >>>> And like I said earlier, the amount of negotiation when there are >>>> multiple prefixes to protect is limited to one. With "modern ipsec >>>> tunneling" (got to love that), there is still a lot of negotiation >>>> going on. >>> >>> I do not understand what you are trying to say there. >> >> even with "modern ipsec tunneling", one selector has to be >> negotiated for each pair of prefixes to protect. This can amount to >> a lot of selectors to negotiate in practice. > > Not for each pairs of prefixes, but for one selector for each subnet > in total. I.e. if one end has 10 subnets and another has 100, then you > need 10 initiator traffic selectors and 100 responder traffic > selectors.
You could even negotiate universal selectors (0.0.0.0-255.255.255.255) and then use some other source of policy (for example: the subnet attribute in the configuration payload). I think that is what Microsoft's IKEv2 clients do, but it has been over a year since I looked at it, so I may be wrong. We could document an "any" selector. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec