[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto filter rule generation for Phase 2 tunnels

To: Vach Kompella <kompella@us.ibm.com>
Subject: Re: Auto filter rule generation for Phase 2 tunnels
From: Stephen Kent <kent@bbn.com>
Date: Tue, 18 Nov 1997 11:58:51 -0500
Cc: <ipsec@tis.com>
In-Reply-To: <5040200007929916000002L062*@MHS>
Sender: owner-ipsec@ex.tis.com

Vach,

	This question si addressed in the IPsec security architectrure
document, a revised verison of which has just been posted as an I-D.  The
solution proposed there (as in the prevuious version distributed on
7/30/97) is that the set of security policy rules (filters) MUST be
ordered.  As you note, there is no obvious canonical ordering, especially
when one adds the other selector types defined in the architecture
document.  It is important that both ends know what traffic is being
matched to which rules, since there is also a desire to check the source
address(and maybe other selector info) upon receipt, to prevent spoofing
after SA establishment.

Steve

Follow-Ups:

Re: Auto filter rule generation for Phase 2 tunnels

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

Auto filter rule generation for Phase 2 tunnels

From: Vach Kompella <kompella@us.ibm.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-arch-sec-02.txt
Next by Date: draft-ietf-ipsec-arch-sec-02.txt and last call
Prev by thread: Re: Auto filter rule generation for Phase 2 tunnels
Next by thread: Re: Auto filter rule generation for Phase 2 tunnels
Index(es):
- Main
- Thread