Re: proposed changes to ISAKMP/Oakley

[Daniel Harkins <dharkins@cisco.com>]

  Harald,

> In message <199710202101.OAA02410@dharkins-ss20>, Daniel Harkins writes:
> > 
> > I would agree that this should be mandatory. If constraints (like proxy ids)
> > are given during negotiation they must be respected by all parties to the
> > negotiation. Any other WG members have an opinion either way?
> 
> What about when they are *not* given? Many people seem to be refusing all
> non-local packets in that case. It would be nice if people's policy engines
> would simply allow all traffic between two routers to be protected without
> negotiating specific proxy-IDs. This is (once again :-) the concept of
> treating a tunnel as a logical, point-to-point link between two gateways.

If you don't negotiate proxy ids but your ENCAPSULATION_MODE attribute 
specifies tunnel mode then I guess you can stuff anything in that tunnel.
Lots of people may consider it a local policy decision on whether to accept
anything out of the tunnel though.

You could negotiate a proxy id's type of IP_ADDR_SUBNET with the addr 
0.0.0.0 and the mask 255.255.255.255 and have port and protocol both zero and
probably achieve what you're looking for. In that case if someone accepted
it they'd be acknowledging that anything can come down the pipe.

  Dan.

---

Follow-Ups:

• Re: Proxy & ISAKMP/Oakley
• From: Ran Atkinson <rja@inet.org>

References:

• Re: proposed changes to ISAKMP/Oakley
• From: "C. Harald Koch" <chk@utcc.utoronto.ca>

---

• Prev by Date: Re: proposed changes to ISAKMP/Oakley
• Next by Date: Re: proposed changes to ISAKMP/Oakley
• Prev by thread: Re: proposed changes to ISAKMP/Oakley
• Next by thread: Re: Proxy & ISAKMP/Oakley
• Index(es):
  • Main
  • Thread