[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto filter rule generation for Phase 2 tunnels

To: ipsec@tis.com
Subject: Re: Auto filter rule generation for Phase 2 tunnels
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 18 Nov 1997 10:38:45 -0500
In-reply-to: Your message of "Tue, 18 Nov 1997 09:55:12 EST." <5040200007929916000002L062*@MHS>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


   I don't know what a "Phase 2" tunnel is, but I think I understand
your description. A diagram would help me a lot. Maybe I can counter
with what I think is a similar example?
  I asked a couple of people some questions about the following
scenario during the ANX interop, and got some interesting answers.
  
   net 1.2/16 ************ net 2.3.4/24
      \                    /
       R---Gw1======Gw2----R
      /                    \
   net 1.2.3/24 ********** net 2.3/16

  [ - unprotected physical link.
    = protected physical link.
    * logical (protected) link/tunnel.
   
  Assume two tunnels between Gw1 and Gw2:

	1.	1.2/16 <-> 2.3.4/24 with parameter set 1 (e.g. 3DES+SHA1-96)
        2.	1.2.3/24 <-> 2.3/16 with parameter set 2 (e.g. RC4-40+MD5-96)

  Assume data flow between 1.2.3.1 and 2.3.4.4.

  If one sorts the filters by "source" prefix length, then packets
flow with parameters set 2 in the -> direction, and parameter set 1 in
the <- direction.
  If one sorts the filters by "destination" prefix length, the packets
flow with parameters set 1 in the -> direction, and parameter set 2 in
the <- direction.
  The other alternative is not to sort, so it winds up as some
function of what order the rules were loaded. A final sort is to sort
by strength of algorithm first, and source/destination later. That may
result in non-optimal usage if the user really wanted to use a faster,
weaker algorithm in some cases.

  The correct answer is that this situation is ambiguous. The correct
solution is to recognize the ambiguity in the UI and do:
	
        3.	1.2.3/24 <-> 2.3.4/24 with parameter set 3 

]     Where's the sun? Oh there you are. Aren't you late today? | one quark   [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    | two quark   [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


  

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNHG2fsmxxiPyUBAxAQErpwMAiXIDQ6NfS4NsvNWK+S5OwuR+8lQTD2bu
QzMXwCN2+kX0uVwvbyqFpPAOLxDn3vVlE7O9ao4VQ1detZ1ndrUZRlbVfe7SQ3FB
xWLiMRb054Qt8avXB6zIcusxktsBxCWZ
=pkxH
-----END PGP SIGNATURE-----

References:

Auto filter rule generation for Phase 2 tunnels

From: Vach Kompella <kompella@us.ibm.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-isakmp-oakley-05.txt
Next by Date: I-D ACTION:draft-ietf-ipsec-arch-sec-02.txt
Prev by thread: Auto filter rule generation for Phase 2 tunnels
Next by thread: Re: Auto filter rule generation for Phase 2 tunnels
Index(es):
- Main
- Thread