[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs

To: Pyda Srisuresh <suresh@livingston.com>
Subject: Re: use of client IDs
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 19 Jun 1998 14:14:13 -0700
Cc: BGleeson@shastanets.com, skelly@redcreek.com, ipsec@tis.com
In-Reply-To: Your message of "Fri, 19 Jun 1998 12:13:33 PDT." <199806191908.MAA04035@server.livingston.com>
Sender: owner-ipsec@ex.tis.com

On Fri, 19 Jun 1998 12:13:33 PDT you wrote
[snip]
> > It already allows TCP/UDP port info and subnets and ranges. No, it can't 
> > express multiple disjoint subnets as a single entity. You need as many SAs 
> > as you have subnets in that case. This limitation (and also the inability
> > to express the "everything except..." construct) is acknowledged.
> > 
> 
> Thanks for the clarification. How does it allow TCP/UDP port info? Can you
> point me to a section that describes this. Thanks.

It's in section 4.6.2 of the DOI.

[snip]
> > > For example if there are two hosts communicating over the 
> > > Internet, and somewhere in the middle two routers, over which the host 
> > > to host traffic travels, decide to set up an MPLS label switched path 
> > > between themselves to provide for some traffic engineering, I wouldn't 
> > > view the setting up of the label switched path as being "on behalf of 
> > > the client that was ultimately sourcing the IP packets". It is rather
> > > a policy decision made by the domain administrator, and is completely
> > > transparent to any hosts, who probably have no idea of what
> > > an MPLS label switched path was or why they would ever want someone
> > > to get one on their behalf. Also you wouldn't want to force a separate 
> > > label switched path for every client or client address range (subnet)
> > > since that may be irrelevant to the policy aims of the administrator. 
> > >
> > > I think exactly the same situation arises with setting up an IPSEC 
> > > tunnel between two routers / gateways. In both cases there is a 
> > > "connection" (label switched path or SA) and there is a 
> > > filtering / selector policy which determines which packets get what 
> > > label or get transmitted on what SA. Now if the client ID were 
> > > mandatory for a security gateway, then a separate SA *would* be required
> > > for disjoint subnets, because the ID payload, in its duty as a poor 
> > > man's policy descriptor, was not capable of representing this and 
> > > this would be true even when the source addresses of the packets 
> > > to be sent on an SA are irrelevant to the policy that an administrator 
> > > wishes to implement. 
> > 
> > Bad example. MPLS switching is not done "on behalf" of hosts any more than 
> > routing protocols are. If we were talking about link encryption it might
> > be more accurate, but who is your peer? You want a single SA to protect 
> > multiple disjoint networks. This SA has a single destination address. In 
> > the absense of security do all packets from these multiple disjoint network
>s 
> > get routed to this destination? I doubt it. But if they do then send all 
> > that traffic through a GRE tunnel and protect it with IPSec. 
> > 
> 
> I think, Bryan is arguing for making ID payload (which in its current state
> is the poor man's policy descriptor) mandatory.

For the case that he's describing it already is!

  Dan.

Follow-Ups:

Re: use of client IDs

From: Pyda Srisuresh <suresh@livingston.com>

References:

Re: use of client IDs

From: Pyda Srisuresh <suresh@livingston.com>

Prev by Date: Re: use of client IDs
Next by Date: Re: use of client IDs
Prev by thread: Re: use of client IDs
Next by thread: Re: use of client IDs
Index(es):
- Main
- Thread