[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP Oakley resolution and ipsec doi document questions

To: ipsec@tis.com
Subject: Re: ISAKMP Oakley resolution and ipsec doi document questions
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 14 Jul 1997 09:43:40 +0300
In-reply-to: Your message of "Mon, 16 Jun 1997 09:58:56 PDT." <01BC7A3B.E8662A40@baiju.jf.intel.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Baiju" == Baiju Patel <baiju@ideal.jf.intel.com> writes:
    Baiju> There are two specific scenarios using proxies for IPSEC.

  Let's be specific here: you mean doing proxy key management. I must
admit that your second scenario doesn't make sense to me. The
situation I understood for proxy ID's in Oakley is when two hosts
behind two security gateways are supposed to get per-host keying. You
say this in:

    Baiju> 1. A host wants to initiate a connection to another host,
    Baiju> and a proxy host in the middle handles IPSEC for it This is
    Baiju> the case addressed in your response. Typically, (but not
    Baiju> necessarily), this would be for accessing intranet over a
    Baiju> firewall by an host on the internet.

  I find the words "proxy host" to be far too overloaded, and would
avoid them. 

    Baiju> 2. A host (daemon) wants to accept connections from other
    Baiju> hosts and there is a proxy which needs to establish an
    Baiju> authenticated IPSEC connection to the host before it allows
    Baiju> traffic to/from it.

    Baiju> Here is an example. I have a web server www on the
    Baiju> intranet.  For many pragmatic reasons, I do not want to put
    Baiju> this web server in the DMZ. This web server wants to
    Baiju> request the firewall that it be allowed to communicate with
    Baiju> any external host.  The way firewall can ensure this (and

  This is just a tunnel. One end of the tunnel gets a filter of 0.0.0.0/0.
  I thought that networks with prefix lengths were one of the valid ID
types... (I cleared those drafts from my notebook, so I can't quote
paragraphs).

]     The food on Finnair flights is quite good really          | one quark   [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    | two quark   [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [






-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBM8nJp8mxxiPyUBAxAQE+YQMAmDuNQEXE37RBxlG+BPYFAP1RKyvP4s60
paatQBdKMxZB8mbd3xm4IWz26M6gfNhUXpz+OzUT8P46Uz1cUxsslgWQnCiKUh+8
ahYAmBm982S5EXCwrX4RkU3xjentGw3a
=qPgv
-----END PGP SIGNATURE-----

Prev by Date: Re: Sequence Number
Next by Date: Re: Sequence Number
Prev by thread: Re: Sequence Number for streaming ciphers?
Next by thread: I-D ACTION:draft-mcdonald-pf-key-v2-03.txt
Index(es):
- Main
- Thread