[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: proposed changes to ISAKMP/Oakley
Steve,
>> * added a clarification on the use of proxy IDs in Quick Mode which states:
>> "The proxy identities are used to identify and direct traffic
>> to the appropriate tunnel in cases where multiple tunnels exist
>> between two peers and also to allow for unique and shared SAs with
>> different granularities. Local policy will determine whether packets
>> which do not match the proxy information on which a tunnel was created
>> will be forwarded upon leaving the tunnel."
>>
>> The 2nd part might actually belong in the Architecture Draft and
>> I'll entertain offers from Steve Kent to remove this text and have
>> it added there but I think there is a general confusion on this
>> capability and it should be clarified (some people had mentioned
>> situations where "I don't 'do proxy' but the other guy does" as if
>> it was some additional capability like doing Aggressive Mode).
>> In fact, it might make sense to say that if proxy identities are
>> used in negotiation of tunnels that traffic which does not match
>> that information MUST NOT be stuffed in the tunnel.
>>
> I was planning to put similar text in the architecure document, but not
> necessarily with the same spin. I had received a couple of suggetsions
> that this be mandatory, not just a local option. It is applicable not only
> to proxy tunnel SAs, but to any SA, to detect an attempt by an authorized
> sender from spoofing packets from another source, right? Maybe we need to
> solicit WG opinion on this
The spin isn't all that critical as long as the idea is conveyed and you can
probably convey it better than I. I'll remove the 2nd part from the
ISAKMP/Oakley draft.
I would agree that this should be mandatory. If constraints (like proxy ids)
are given during negotiation they must be respected by all parties to the
negotiation. Any other WG members have an opinion either way?
Dan.
Follow-Ups:
References: