Skip to main content

4.4.1.3. More Regarding Fields Associated with Next Layer Protocols

Additional selectors are often associated with fields in the Next Layer Protocol header. A particular Next Layer Protocol can have zero, one, or two selectors. There may be situations where there aren't both local and remote selectors for the fields that are dependent on the Next Layer Protocol. The IPv6 Mobility Header has only a Mobility Header message type. AH and ESP have no further selector fields. A system may be willing to send an ICMP message type and code that it does not want to receive.

Note: In the descriptions below, "port" is used to mean a field that is dependent on the Next Layer Protocol.

A. Protocols with No Port Selectors

If a Next Layer Protocol has no "port" selectors, then the Local and Remote "port" selectors are set to OPAQUE in the relevant SPD entry, e.g.,

Example - AH Protocol:

Local's
  next layer protocol = AH
  "port" selector     = OPAQUE

Remote's
  next layer protocol = AH
  "port" selector     = OPAQUE

B. Protocols with One Selector

Even if a Next Layer Protocol has only one selector, e.g., Mobility Header type, then the Local and Remote "port" selectors are used to indicate whether a system is willing to send and/or receive traffic with the specified "port" values.

Example 1: Send and Receive

If Mobility Headers of a specified type are allowed to be sent and received via an SA, then the relevant SPD entry would be set as follows:

Local's
  next layer protocol = Mobility Header
  "port" selector     = Mobility Header message type

Remote's
  next layer protocol = Mobility Header
  "port" selector     = Mobility Header message type

Example 2: Send Only

If Mobility Headers of a specified type are allowed to be sent but NOT received via an SA, then the relevant SPD entry would be set as follows:

Local's
  next layer protocol = Mobility Header
  "port" selector     = Mobility Header message type

Remote's
  next layer protocol = Mobility Header
  "port" selector     = OPAQUE

Example 3: Receive Only

If Mobility Headers of a specified type are allowed to be received but NOT sent via an SA, then the relevant SPD entry would be set as follows:

Local's
  next layer protocol = Mobility Header
  "port" selector     = OPAQUE

Remote's
  next layer protocol = Mobility Header
  "port" selector     = Mobility Header message type

C. Protocols with Two Selectors - Send Only

If a system is willing to send traffic with a particular "port" value but NOT receive traffic with that kind of port value, the system's traffic selectors are set as follows in the relevant SPD entry:

Local's
  next layer protocol = ICMP
  "port" selector     = <specific ICMP type & code>

Remote's
  next layer protocol = ICMP
  "port" selector     = OPAQUE

D. Protocols with Two Selectors - Receive Only

To indicate that a system is willing to receive traffic with a particular "port" value but NOT send that kind of traffic, the system's traffic selectors are set as follows in the relevant SPD entry:

Local's
  next layer protocol = ICMP
  "port" selector     = OPAQUE

Remote's
  next layer protocol = ICMP
  "port" selector     = <specific ICMP type & code>

Practical Example: ICMP Traceroute

For example, if a security gateway is willing to allow systems behind it to send ICMP traceroutes, but is not willing to let outside systems run ICMP traceroutes to systems behind it, then the security gateway's traffic selectors are set as follows in the relevant SPD entry:

Local's
  next layer protocol = 1 (ICMPv4)
  "port" selector     = 30 (traceroute)

Remote's
  next layer protocol = 1 (ICMPv4)
  "port" selector     = OPAQUE
Last updated on