[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP Oakley resolution and ipsec doi document questions
- To: ipsec@tis.com
- Subject: Re: ISAKMP Oakley resolution and ipsec doi document questions
- From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Date: Mon, 14 Jul 1997 09:43:40 +0300
- In-reply-to: Your message of "Mon, 16 Jun 1997 09:58:56 PDT." <01BC7A3B.E8662A40@baiju.jf.intel.com>
- Sender: owner-ipsec@ex.tis.com
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Baiju" == Baiju Patel <baiju@ideal.jf.intel.com> writes:
Baiju> There are two specific scenarios using proxies for IPSEC.
Let's be specific here: you mean doing proxy key management. I must
admit that your second scenario doesn't make sense to me. The
situation I understood for proxy ID's in Oakley is when two hosts
behind two security gateways are supposed to get per-host keying. You
say this in:
Baiju> 1. A host wants to initiate a connection to another host,
Baiju> and a proxy host in the middle handles IPSEC for it This is
Baiju> the case addressed in your response. Typically, (but not
Baiju> necessarily), this would be for accessing intranet over a
Baiju> firewall by an host on the internet.
I find the words "proxy host" to be far too overloaded, and would
avoid them.
Baiju> 2. A host (daemon) wants to accept connections from other
Baiju> hosts and there is a proxy which needs to establish an
Baiju> authenticated IPSEC connection to the host before it allows
Baiju> traffic to/from it.
Baiju> Here is an example. I have a web server www on the
Baiju> intranet. For many pragmatic reasons, I do not want to put
Baiju> this web server in the DMZ. This web server wants to
Baiju> request the firewall that it be allowed to communicate with
Baiju> any external host. The way firewall can ensure this (and
This is just a tunnel. One end of the tunnel gets a filter of 0.0.0.0/0.
I thought that networks with prefix lengths were one of the valid ID
types... (I cleared those drafts from my notebook, so I can't quote
paragraphs).
] The food on Finnair flights is quite good really | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBM8nJp8mxxiPyUBAxAQE+YQMAmDuNQEXE37RBxlG+BPYFAP1RKyvP4s60
paatQBdKMxZB8mbd3xm4IWz26M6gfNhUXpz+OzUT8P46Uz1cUxsslgWQnCiKUh+8
ahYAmBm982S5EXCwrX4RkU3xjentGw3a
=qPgv
-----END PGP SIGNATURE-----