Re: proposed changes to ISAKMP/Oakley

[Stephen Kent <kent@bbn.com>]

Harald,

>> I would agree that this should be mandatory. If constraints (like proxy ids)
>> are given during negotiation they must be respected by all parties to the
>> negotiation. Any other WG members have an opinion either way?
>
>What about when they are *not* given? Many people seem to be refusing all
>non-local packets in that case. It would be nice if people's policy engines
>would simply allow all traffic between two routers to be protected without
>negotiating specific proxy-IDs. This is (once again :-) the concept of
>treating a tunnel as a logical, point-to-point link between two gateways.

The arch doc draft required that traffic be mapped to SAs based on
"selectors" and my suggestion is that all traffic emerging from an SA ought
to be checked against the set of selectors specified when the SA was
created.  This should apply to manually keyed SAs as well as ISAKMP SAs.
I'm less comfortable with the use of the term "proxy ID" as per ISAKMP, as
it is specific to that key management method.

Steve

---

Follow-Ups:

• Re: proposed changes to ISAKMP/Oakley
• From: Ran Atkinson <rja@inet.org>

References:

• Re: proposed changes to ISAKMP/Oakley
• From: Daniel Harkins <dharkins@cisco.com>
• Re: proposed changes to ISAKMP/Oakley
• From: "C. Harald Koch" <chk@utcc.utoronto.ca>

---

• Prev by Date: Re: proposed changes to ISAKMP/Oakley
• Next by Date: Re: proposed changes to ISAKMP/Oakley
• Prev by thread: Re: proposed changes to ISAKMP/Oakley
• Next by thread: Re: proposed changes to ISAKMP/Oakley
• Index(es):
  • Main
  • Thread