Project

General

Profile

Feature #173

Support for IP address ranges in traffic selectors

Added by Tobias Brunner almost 9 years ago. Updated over 8 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Tobias Brunner
Category:
-
Target version:
-
Start date:
08.02.2012
Due date:
Estimated time:
Resolution:

Description

Currently, address ranges in IKEv2 traffic selectors are mapped to a single subnet that contains at least all the addresses in the range but may contain more. The reason for this is that the Linux kernel only supports subnets when installing policies.
We could, though, split the range into a group of subnets/policies and install these into the kernel.

For example the range 192.168.1.60-192.168.1.160 is currently mapped to 192.168.1.0/24 as that is the smallest subnet containing all 101 addresses.
By splitting the range into multiple subnets/policies we could map this more exactly:

  192.168.1.60/30  : 192.168.1.60-192.168.1.63
  192.168.1.64/26  : 192.168.1.64-192.168.1.127
  192.168.1.128/27 : 192.168.1.128-192.168.1.159
  192.168.1.160/32 : 192.168.1.160

Configuration of address ranges via ipsec.conf may be an option too (or a script that splits a range into a list of subnets which could then be used with left/rightsubnet).

History

#1 Updated by Tobias Brunner over 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Tobias Brunner

Also available in: Atom PDF