Feature #173
Support for IP address ranges in traffic selectors
| Status: | Assigned | Start date: | 08.02.2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Tobias Brunner | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Resolution: |
Description
Currently, address ranges in IKEv2 traffic selectors are mapped to a single subnet that contains at least all the addresses in the range but may contain more. The reason for this is that the Linux kernel only supports subnets when installing policies.
We could, though, split the range into a group of subnets/policies and install these into the kernel.
For example the range 192.168.1.60-192.168.1.160 is currently mapped to 192.168.1.0/24 as that is the smallest subnet containing all 101 addresses.
By splitting the range into multiple subnets/policies we could map this more exactly:
192.168.1.60/30 : 192.168.1.60-192.168.1.63 192.168.1.64/26 : 192.168.1.64-192.168.1.127 192.168.1.128/27 : 192.168.1.128-192.168.1.159 192.168.1.160/32 : 192.168.1.160
Configuration of address ranges via ipsec.conf may be an option too (or a script that splits a range into a list of subnets which could then be used with left/rightsubnet).
History
#1 Updated by Tobias Brunner 11 months ago
- Status changed from New to Assigned
- Assignee set to Tobias Brunner