[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs

To: BGleeson@shastanets.com, dharkins@cisco.com
Subject: Re: use of client IDs
From: Bryan Gleeson <bgleeson@shastanets.com>
Date: Fri, 19 Jun 1998 11:27:56 -0700 (PDT)
Cc: ipsec@tis.com, skelly@redcreek.com, suresh@livingston.com
Sender: owner-ipsec@ex.tis.com


Pyda said:
>I believe, Client ID is mandatory when IKE key negotiator and the
>client node for which it is negotiating are not the same.

Scott replied:
>I don't think this is true. 

Dan said:
>I think the draft is decidedly unambiguous. When some box is operating as 
>a security gateway [...] it must use client IDs 

Scott said:
>I think the draft is clear: specifying the ID of the client is a local
>policy decision ...

Bryan:
	<still confused>


Some other comments ....

>This is, of course, based upon my view of what a security
>gateway is. If your view is different please tell me how.

My view of a security gateway is that it is a router, that is applying
security services to some of the packets flowing through it. 

>> The model that a security gateway is always "negotiating on behalf 
>> of" a client may be intuitive in some scenarios, but I believe is not 
>> in others, and that this model should not drive mandatory protocol 
>> behaviours.
>
>What is it doing then? 

Forwarding packets and applying security services to some of them.

>Bad example. MPLS switching is not done "on behalf" of hosts any more than 
>routing protocols are. If we were talking about link encryption it might
>be more accurate, but who is your peer? You want a single SA to protect 
>multiple disjoint networks. This SA has a single destination address. In 
>the absense of security do all packets from these multiple disjoint networks 
>get routed to this destination? I doubt it. But if they do then send all 
>that traffic through a GRE tunnel and protect it with IPSec. 

Still don't see the fundamental difference. SAs and label switched paths 
are set up between routers. The packets that are fed into the path/SA may
be sourced from an arbitrary number of hosts, and destined for an arbitrary
number of hosts. In the absence of security and mpls the packets still
get to their destination, but the route taken could be different, and the
services applied along the way could be different.

Bryan

Prev by Date: Re: In tunnel mode why options are not copied to outer IP header
Next by Date: Re: use of client IDs
Prev by thread: Re: use of client IDs
Next by thread: RE: use of client IDs
Index(es):
- Main
- Thread