[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: proposed changes to ISAKMP/Oakley
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "C" == C Harald Koch <chk@utcc.utoronto.ca> writes:
C> What about when they are *not* given? Many people seem to be
C> refusing all non-local packets in that case. It would be nice
C> if people's policy engines would simply allow all traffic
C> between two routers to be protected without negotiating
C> specific proxy-IDs. This is (once again :-) the concept of
C> treating a tunnel as a logical, point-to-point link between two
C> gateways.
The link gets the packets there, but does your policy actually allow
you to do anything with them?
You might just drop them on the "outside" of a firewall and send
things up through the proxies, and do various levels of authentication
(with or without the IPsec IDs involved), or you can "bypass" the
firewall components and forward the packets.
This whole issue is something that that I think will become part of
the VPN charter.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | I do IPsec policy code for SSH <http://www.ssh.fi/>
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNEvlAaZpLyXYhL+BAQHNUAL/fVE7ZgZSPw/YA36kw+em2zourhmWs0BY
8/YmT2J5oOfqxE4DLIVLUakGlkQG+cKDHzhSV4JVE8UPMGdSihI/GYEqb2HL8i/6
Jah24NAR/kjD+n4UKabDFjMKZEXtW5K0
=GcP5
-----END PGP SIGNATURE-----
Follow-Ups:
References: