[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: use of client IDs

To: "Scott G. Kelly" <skelly@redcreek.com>, Bryan Gleeson <BGleeson@shastanets.com>
Subject: RE: use of client IDs
From: Bryan Gleeson <BGleeson@shastanets.com>
Date: Thu, 18 Jun 1998 14:48:40 -0700
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Scott,

Thanks for the detailed reply.
  
> > If it is the
> > case and a security gateway has multiple disjoint IP subnets
> > behind it, all of which could source packets to be sent on the
> > IPSEC SA, how should the client ID be set - use multiple ID
> > payloads, a different SA for each disjoint subnet, or something
> > else ?
> 
> This isn't currently supported, but it has been discussed off 
> the list.
> That was during last call for the current document set, so it wasn't
> proposed to the list. I will continue to hold off on posting the
> suggested mechanism to this list until the chairs release the 
> finalized
> agenda for ipsecond.

I think that attempting to define a general purpose selector 
protocol, which tells a responder exactly what packets the 
initiator intends to send on an SA, is going to prove quite
difficult. For example I might want to encode in a message that
the SA was used to carry all traffic from subnets 1,2 & 3 
to subnet 100, except ftp and telnet traffic (which receive
different treatment). In the absence of a fully general purpose
protocol whatever is defined will at best be a half-way house,
as it is today. It will always be a subset of the selector rules
that people wish to use.

> It depends on the granularity of policy you would like to 
> exercise, and
> on the policy configuration of the remote gateway.  If you (and the
> other gateway) don't mind having all the traffic from one net to the
> other being funneled into one tunnel (using the same keys, etc), then
> you don't need to use client IDs. If you want finer control, with
> different policies applied to different 
> hosts/protocols/ports, then you
> need client IDs.

I think that applying a fine level of control about what packets get 
transmitted onto an SA, is separate from conveying the filtering 
information to the other end of the SA. A gateway could be separating 
traffic out using an arbitrary amount of information from a packet 
(e.g. looking at embedded URLs) and applying different security 
policies. I'm assuming that there is no need for the receiver side
of an SA to view the allowed traffic on an SA with the same granularity
as the sender does. It may the same, or it may be coarser, all the way
down to allowing "any". Is this correct, or do both sides have to share
exactly the same view?

To remove any ambiguity would anyone object to adding the following
to the IKE spec (section 5.5) - "The use of client identities is 
optional for both hosts and security gateways" ?

Bryan Gleeson
Shasta Networks.

Follow-Ups:

Re: use of client IDs

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: use of client IDs
Next by Date: Re: use of client IDs
Prev by thread: Re: use of client IDs
Next by thread: Re: use of client IDs
Index(es):
- Main
- Thread