[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: proposed changes to ISAKMP/Oakley
Dan,
* added a clarification on the use of proxy IDs in Quick Mode which states:
"The proxy identities are used to identify and direct traffic
to the appropriate tunnel in cases where multiple tunnels exist
between two peers and also to allow for unique and shared SAs with
different granularities. Local policy will determine whether packets
which do not match the proxy information on which a tunnel was created
will be forwarded upon leaving the tunnel."
The 2nd part might actually belong in the Architecture Draft and
I'll entertain offers from Steve Kent to remove this text and have
it added there but I think there is a general confusion on this
capability and it should be clarified (some people had mentioned
situations where "I don't 'do proxy' but the other guy does" as if
it was some additional capability like doing Aggressive Mode).
In fact, it might make sense to say that if proxy identities are
used in negotiation of tunnels that traffic which does not match
that information MUST NOT be stuffed in the tunnel.
I was planning to put similar text in the architecure document, but not
necessarily with the same spin. I had received a couple of suggetsions
that this be mandatory, not just a local option. It is applicable not only
to proxy tunnel SAs, but to any SA, to detect an attempt by an authorized
sender from spoofing packets from another source, right? Maybe we need to
solicit WG opinion on this
Steve
Follow-Ups:
References: