Re: Proxy & ISAKMP/Oakley

[Ran Atkinson <rja@inet.org>]

--- On Mon, 20 Oct 1997 14:35:51 -0700  Daniel Harkins <dharkins@cisco.com> wrote:

> If you don't negotiate proxy ids but your ENCAPSULATION_MODE attribute 
> specifies tunnel mode then I guess you can stuff anything in that tunnel.
> Lots of people may consider it a local policy decision on whether to accept
> anything out of the tunnel though.

Disagree.  Negotiating no Proxy-ID for an SA using Tunnel-mode should
have the semantic that only the Sender-ID can use that tunnel.  Lack
of a Proxy-ID means there is no proxy in use for that SA.

For reference, the semantics should be:
	Proxy-ID:	Identity of entity performing IPsec on behalf of sender,
			if none the sender is performing its own IPsec.
	Sender-ID:	Identity of sender of original traffic.

> You could negotiate a proxy id's type of IP_ADDR_SUBNET with the addr 
> 0.0.0.0 and the mask 255.255.255.255 and have port and protocol both zero and
> probably achieve what you're looking for. In that case if someone accepted
> it they'd be acknowledging that anything can come down the pipe.

Maybe agree.  When one wants a wide-open tunnel (never a really wise policy
IMHO), one MUST negotiate a (Proxy-ID == IPsec tunnel start point) and 
(Source-ID == IP_ADDR_SUBNET 0.0.0.0/32 as noted by Dan).

It is actually important that these semantics be clearly described somewhere.
If implementations don't use the same semantics, then badness is a high
probability outcome.

All IMHO.

Ran

---

Follow-Ups:

• Re: Proxy & ISAKMP/Oakley
• From: "C. Harald Koch" <chk@utcc.utoronto.ca>

References:

• Re: proposed changes to ISAKMP/Oakley
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: Comments on AH and ESP drafts
• Next by Date: Re: proposed changes to ISAKMP/Oakley
• Prev by thread: Re: proposed changes to ISAKMP/Oakley
• Next by thread: Re: Proxy & ISAKMP/Oakley
• Index(es):
  • Main
  • Thread