[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use of client IDs
On Fri, 19 Jun 1998 12:13:33 PDT you wrote
[snip]
> > It already allows TCP/UDP port info and subnets and ranges. No, it can't
> > express multiple disjoint subnets as a single entity. You need as many SAs
> > as you have subnets in that case. This limitation (and also the inability
> > to express the "everything except..." construct) is acknowledged.
> >
>
> Thanks for the clarification. How does it allow TCP/UDP port info? Can you
> point me to a section that describes this. Thanks.
It's in section 4.6.2 of the DOI.
[snip]
> > > For example if there are two hosts communicating over the
> > > Internet, and somewhere in the middle two routers, over which the host
> > > to host traffic travels, decide to set up an MPLS label switched path
> > > between themselves to provide for some traffic engineering, I wouldn't
> > > view the setting up of the label switched path as being "on behalf of
> > > the client that was ultimately sourcing the IP packets". It is rather
> > > a policy decision made by the domain administrator, and is completely
> > > transparent to any hosts, who probably have no idea of what
> > > an MPLS label switched path was or why they would ever want someone
> > > to get one on their behalf. Also you wouldn't want to force a separate
> > > label switched path for every client or client address range (subnet)
> > > since that may be irrelevant to the policy aims of the administrator.
> > >
> > > I think exactly the same situation arises with setting up an IPSEC
> > > tunnel between two routers / gateways. In both cases there is a
> > > "connection" (label switched path or SA) and there is a
> > > filtering / selector policy which determines which packets get what
> > > label or get transmitted on what SA. Now if the client ID were
> > > mandatory for a security gateway, then a separate SA *would* be required
> > > for disjoint subnets, because the ID payload, in its duty as a poor
> > > man's policy descriptor, was not capable of representing this and
> > > this would be true even when the source addresses of the packets
> > > to be sent on an SA are irrelevant to the policy that an administrator
> > > wishes to implement.
> >
> > Bad example. MPLS switching is not done "on behalf" of hosts any more than
> > routing protocols are. If we were talking about link encryption it might
> > be more accurate, but who is your peer? You want a single SA to protect
> > multiple disjoint networks. This SA has a single destination address. In
> > the absense of security do all packets from these multiple disjoint network
>s
> > get routed to this destination? I doubt it. But if they do then send all
> > that traffic through a GRE tunnel and protect it with IPSec.
> >
>
> I think, Bryan is arguing for making ID payload (which in its current state
> is the poor man's policy descriptor) mandatory.
For the case that he's describing it already is!
Dan.
Follow-Ups:
References: