[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Auto filter rule generation for Phase 2 tunnels
-----BEGIN PGP SIGNED MESSAGE-----
I don't know what a "Phase 2" tunnel is, but I think I understand
your description. A diagram would help me a lot. Maybe I can counter
with what I think is a similar example?
I asked a couple of people some questions about the following
scenario during the ANX interop, and got some interesting answers.
net 1.2/16 ************ net 2.3.4/24
\ /
R---Gw1======Gw2----R
/ \
net 1.2.3/24 ********** net 2.3/16
[ - unprotected physical link.
= protected physical link.
* logical (protected) link/tunnel.
Assume two tunnels between Gw1 and Gw2:
1. 1.2/16 <-> 2.3.4/24 with parameter set 1 (e.g. 3DES+SHA1-96)
2. 1.2.3/24 <-> 2.3/16 with parameter set 2 (e.g. RC4-40+MD5-96)
Assume data flow between 1.2.3.1 and 2.3.4.4.
If one sorts the filters by "source" prefix length, then packets
flow with parameters set 2 in the -> direction, and parameter set 1 in
the <- direction.
If one sorts the filters by "destination" prefix length, the packets
flow with parameters set 1 in the -> direction, and parameter set 2 in
the <- direction.
The other alternative is not to sort, so it winds up as some
function of what order the rules were loaded. A final sort is to sort
by strength of algorithm first, and source/destination later. That may
result in non-optimal usage if the user really wanted to use a faster,
weaker algorithm in some cases.
The correct answer is that this situation is ambiguous. The correct
solution is to recognize the ambiguity in the UI and do:
3. 1.2.3/24 <-> 2.3.4/24 with parameter set 3
] Where's the sun? Oh there you are. Aren't you late today? | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNHG2fsmxxiPyUBAxAQErpwMAiXIDQ6NfS4NsvNWK+S5OwuR+8lQTD2bu
QzMXwCN2+kX0uVwvbyqFpPAOLxDn3vVlE7O9ao4VQ1detZ1ndrUZRlbVfe7SQ3FB
xWLiMRb054Qt8avXB6zIcusxktsBxCWZ
=pkxH
-----END PGP SIGNATURE-----
References: