[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: why single value destipaddress in SA selector
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Padma" == Padma Goli <padma@trinc.com> writes:
Padma> According to the Ipsec Architecture RFC, Destination
Padma> address part of selectors can have single, range, wildcard
Padma> in SPD but SA can have only single IP address. Why is it
Padma> so? Why can't we have range or wildcard in SA dest ip
You confusing the thing that determines what goes into a tunnel,
and what the tunnel end points are.
Padma> Consider an example wherein there are policies at H1 and
Padma> SG1 saying host H1 can have ESP tunnel upto SG1 for any of
Padma> the hosts beyond SG1. Assume SG1 is connected to H2, H3
Padma> and H4 on 192.9.100.0 subnet and SG1 address is 192.9.100.1
Padma> and H2 is 192.9.100.2, 100.3 for H3 and 100.4 for H4
Padma> So SPD policy selectors at SG1 would be
Padma> Srcipaddr destipaddr H1 192.9.100.0
That isn't what I'd do.
I'd make an SA:
SRC=H1, DST=SG1, SPI=<whatever>
It would have an SPD: src=H1, DST=192.9.100.0/24
IMHO, I think you are suffering from overspecification in the
architecture documents. Please read that document as a set of
functional requirements, rather than a detailed design specification.
] Network Security Consulting and Contract Programming | SSH IPsec [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQBVAwUBNSjdcx4XQavxnHg9AQGwbQH/elaQ0U4Y8pt/UHzNp0felTxDLbzL4YPx
vK1dNd5+BLAkMJj5F1UXWcptGWWu38w/TK6MRr/O1jf7mk3CA0sUaA==
=0NMR
-----END PGP SIGNATURE-----
References: