[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use of client IDs
On Fri, 19 Jun 1998 13:05:46 PDT you wrote
> Pyda,
>
> [...]
> > I think, Bryan is arguing for making ID payload (which in its
> > current state
> > is the poor man's policy descriptor) mandatory.
>
> Actually I'm proposing that it should be optional, since to make it
> mandatory would preclude simple cases like "on interface X use
> security association Y for all traffic sent to destination Z".
(I'm assuming that the box to which this policy is being applied is not
sourcing the traffic sent to Z and that Z is the traffic endpoint as well
as the IPSec endpoint).
IDci= IPv4 subnet, 0.0.0.0/0.0.0.0, protocol=0, port=0
IDcr= IPv4 address, Z, protocol=0, port=0
In my opinion it would be bad for Z to have related policy (which would
allow it to accept this negotiation) since it would require every single
packet sent to it and sent from it to go through this box. And that is not
realistic.
If my assumption that the box was not sourcing the traffic is wrong then this
is the trivial host-to-host example and it doesn't matter that your "host"
was in fact a router because it's acting like a host in this case and
passing client identities is not required.
If my assumption that Z is not the traffic endpoint was wrong (and that Z is
a router) then it is even more bad for Z to have this policy because he's
saying that every single packet sent to him (through the particular interface
to which this policy is applied) must come from the box in question. This
includes all routing updates etc. And if that's the case then I'll ask
you why you want to do link encryption with IPSec? If the box in question
and Z are more than 1 hop from each other you don't want to do what you
think you want to do.
Dan.
Dan.
References: