[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proxy & ISAKMP/Oakley
--- On Mon, 20 Oct 1997 14:35:51 -0700 Daniel Harkins <dharkins@cisco.com> wrote:
> If you don't negotiate proxy ids but your ENCAPSULATION_MODE attribute
> specifies tunnel mode then I guess you can stuff anything in that tunnel.
> Lots of people may consider it a local policy decision on whether to accept
> anything out of the tunnel though.
Disagree. Negotiating no Proxy-ID for an SA using Tunnel-mode should
have the semantic that only the Sender-ID can use that tunnel. Lack
of a Proxy-ID means there is no proxy in use for that SA.
For reference, the semantics should be:
Proxy-ID: Identity of entity performing IPsec on behalf of sender,
if none the sender is performing its own IPsec.
Sender-ID: Identity of sender of original traffic.
> You could negotiate a proxy id's type of IP_ADDR_SUBNET with the addr
> 0.0.0.0 and the mask 255.255.255.255 and have port and protocol both zero and
> probably achieve what you're looking for. In that case if someone accepted
> it they'd be acknowledging that anything can come down the pipe.
Maybe agree. When one wants a wide-open tunnel (never a really wise policy
IMHO), one MUST negotiate a (Proxy-ID == IPsec tunnel start point) and
(Source-ID == IP_ADDR_SUBNET 0.0.0.0/32 as noted by Dan).
It is actually important that these semantics be clearly described somewhere.
If implementations don't use the same semantics, then badness is a high
probability outcome.
All IMHO.
Ran
Follow-Ups:
References: