[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed changes to ISAKMP/Oakley



Ran Atkinson wrote:

<SNIP...>

>   IMHO, omitting explicit definition of the Proxy-ID from the formal
> definition of an IPsec SA is likely to lead to reduced security in
> the operational Internet.  Including it is likely to enhance security
> in the deployed operational Internet.

Agreed - but perhaps it should be noted that there are actually 2
proxies involved in some situations: 

  USER1===|===SGW1--(INTERNET)--SGW2===|===USER2 

Assume no SA exists between any of the systems above. USER1 attempts to
reach USER2 via the path given. SGW1, upon receiving the first packet
from USER1, notes that no SA exists. From its policy db, SGW1 notes that
SGW2 is a proxy for USER2, and so begins ISAKMP negotiation with SGW2.

In this case, there are 2 proxies involved: SGW1 and SGW2. SGW2 must
recognize that it is acting as a proxy for USER2 in this negotiation,
and also that SGW1 is a proxy for USER1. While in some cases policy may
obviate the need for this knowledge (that SGW1 proxies for USER1) on
SGW2's part, this should not be assumed. 

These two proxies should have unique names.


References: