Re: proposed changes to ISAKMP/Oakley

[Stephen Kent <kent@bbn.com>]

Dan,

 * added a clarification on the use of proxy IDs in Quick Mode which states:
	"The proxy identities are used to identify and direct traffic
	 to the appropriate tunnel in cases where multiple tunnels exist
	 between two peers and also to allow for unique and shared SAs with
	 different granularities. Local policy will determine whether packets
	 which do not match the proxy information on which a tunnel was created
	 will be forwarded upon leaving the tunnel."

	The 2nd part might actually belong in the Architecture Draft and
	I'll entertain offers from Steve Kent to remove this text and have
	it added there but I think there is a general confusion on this
	capability and it should be clarified (some people had mentioned
	situations where "I don't 'do proxy' but the other guy does" as if
	it was some additional capability like doing Aggressive Mode).
	In fact, it might make sense to say that if proxy identities are
	used in negotiation of tunnels that traffic which does not match
	that information MUST NOT be stuffed in the tunnel.

I was planning to put similar text in the architecure document, but not
necessarily with the same spin.  I had received a couple of suggetsions
that this be mandatory, not just a local option.  It is applicable not only
to proxy tunnel SAs, but to any SA, to detect an attempt by an authorized
sender from spoofing packets from another source, right?  Maybe we need to
solicit WG opinion on this

Steve

---

Follow-Ups:

• Re: proposed changes to ISAKMP/Oakley
• From: Daniel Harkins <dharkins@cisco.com>

References:

• proposed changes to ISAKMP/Oakley
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: more...changes to ISAMKP/Oakley
• Next by Date: Re: more...changes to ISAMKP/Oakley
• Prev by thread: Re: proposed changes to ISAKMP/Oakley
• Next by thread: Re: proposed changes to ISAKMP/Oakley
• Index(es):
  • Main
  • Thread