Re: linux-ipsec: uses of SA specifiers

> Catching up, I have a few suggestions:

I've always thought that it's stupid to use hex for arbitrary numbers with no interesting substructure. We don't print out TCP/IP port numbers in hex; why should we use hex for SPIs? It's silly.

However, if Bill's comment about other people using hex is correct -- I haven't dealt with other implementations enough to know, although now that I think about it, hex was the lingua france at the interop workshops I've attended -- then *that* is a much more persuasive argument.

And I agree with him, if it's going to be hex, it should be hex all the way, and the 0x just adds clutter (once we've converted everything to using the new notation, that is!).

> 2) how about separating with colon to avoid hex ambiguity?

Remember, colon is the separator in the IPv6 equivalent of dotted-decimal notation. We want to be very careful to avoid even a hint of clashing with that.

> 12345678:ah@host.test

I experimented with doing things in that order -- it does lessen the confusion with email addresses -- but almost anything that puts "ah" after the number has some chance of being misunderstood as a hex A followed by an "h" for hexadecimal. I don't think that putting a ":" in between entirely solves that.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Also, it's important that ah12345678 be seen as a single lump, if we are going to omit the 0x. Otherwise, an SPI number that happens to contain none of the alphabetic hex digits *will* be confused with decimal. If we're going to split the protocol code from the SPI -- I'm not sure why, really -- then the 0x has to come back, I think. There is still some potential for this problem with the single lump, but I think it's reduced, because the lump looks like an identifier, not a code plus a number.

> 3) I'd really prefer them the other way around:

In that case I'd seriously suggest switching to another main delimiter, maybe %, because the mnemonic value of "at" has been lost (and indeed, the mnemonic value is going to cause confusion -- people *know* that the host comes *after* the @).

> 4) maybe even:

I see serious potential confusion here with the net/mask subnet notation. If the host name comes first, the delimiter should not be slash.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)