Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > 1998-fall > 98 > 100044.html (Request Expert lists.freeswan.org Support)

Re: linux-ipsec: uses of SA specifiers

From: Henry Spencer <henry(at)spsystems.net>
Date: Sun Oct 11 1998 - 01:00:34 EDT


> > it is *identified* by a <destination host, protocol, SPI> triple. Which

However, we do have triples that identify SAs, whether one calls them "SA IDs" or not, and an SPI is only one of their three components. Whether this terminology was a good idea or not, it *is* what the soon-to-be IPSEC RFCs use.

> Since we are not planning on typing it very often anyway, what about

Maybe I'm just dense today, but I still haven't figured out why this prefix buys us anything. Before we debate how to spell it, we need to know whether it's going to be there at all, and at the moment I see no reason for that. Nobody's going to need to tell the difference between one of these and, say, a URL for an FTPable document.

(Long ago, in punchcard days, I had cause to design a specialized coding form. It was a bit crowded on an 8.5x11 sheet. I had the sense to ask the keypunch supervisor for her comments before I did the final artwork. She made some suggestions on details, and then thought a minute and said: "it's too cramped -- use legal-size paper". I balked; I like 8.5x11, even for things where tradition calls for bigger sheets, because it makes for easier filing etc. She said "who's going to file these?". I thought a minute and said "good point". If nobody's going to file them, it doesn't matter whether they're easy to file...)

> > ...avoid using delimiters which are metacharacters to the standard shell.
>
> I think we identified some time ago that _every_ displayable character,

I don't care about one shell or another -- I care specifically about the standard Unix/POSIX/etc. shell, which is the one I'm writing scripts in. This is a pragmatic issue for me in particular and the project in general, not a theoretical one for hypothetical users. Semicolons are out.

> If you don't like '=', and you don't like '/', how about ':'?

Do you need help?X

I don't recall expressing any objections to '=', actually, and my one reservation about '/' is the possibility of confusion with subnet notation if the host comes first. "ah12345678/10.0.0.1" seems promising.

As said before, ':' has its points, but one potential trouble spot is that an IPv6 numeric address contains ':', and at some point we are going to want to be able to write SA identifiers with IPv6 addresses in them. So we have to be very restrained about using it for other purposes. It's like using '.' -- we can get away with it for some things, but not many.

> > And I'm not sold on the virtues of the URL style anyway; I consider it

Ugly is arguably subjective, but verbose can be defined precisely: lots of characters with zero information content. E.g., "ipsecurity://". The fewer the delimiters and other syntactic baggage, the better.

> ...But, surely, using a URL-conformant syntax buys us _some_

I'm not sure what existing code you're thinking of... and we know what the problem characters are in the shell we care about (';' being one).

> > > spi://host.test;ah=12345678;esp=feedface
> > That's an interesting notation, but for what?
> >
> A more elegant and less verbose method of specifying (your example):

Saving a bit of typing in one command doesn't seem worth an extension to the notation, to me. (I think this is the only place where such a multi-SA identifier would be useful.) 

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)
Received on Sun Oct 11 02:05:49 1998
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:03 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library