[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use of client IDs
Bryan,
On: Fri, 19 Jun 1998 17:12:44 PDT you wrote
> An SA is a simplex connection, and assymetric routes are not
> uncommon. If a box accepts packets from a source IP address of
> "any", that arrive over an SA, it should not imply that the
> box has only one default route for sending packets, which all
> packets must follow, and which has a nexthop IP address of the
> other end of the SA.
Under what circumstances would you use the outbound SA that was
created with this inbound SA? Your inbound SA is "anyone to me"; your
outbound is "me to anyone". If what you mean by "it should not imply
a single route" is that under some circumstances you would not apply
this SA to outbound traffic then why did you negotiate such policy?
The client identities identify traffic to which security is applied.
What you seem to want is to protect everything that's routed through
some particular route. I don't see the point and that's real ugly.
Routing updates would have to modify your security policy. Hmmm. Not
too secure considering routing protocols aren't secure (yet).
> I think I now see where some of the confusion lies however.
> If I have two routers, and a GRE or L2TP tunnel between them,
> and I want to secure the GRE or L2TP tunnel with IPSEC, then
> the Quick Mode exchange needed to set up the SA does not need
> to include the client ID, because in this case the router is
> acting as a virtual host, and is not proxying for anyone.
> Is this correct ?
Yes, that's correct. One way to look at it is that if you *could* use
transport mode client IDs aren't necessary; if you must use tunnel mode
then they are. Unless you want to specify some particular port/protocol
then you need client IDs regardless.
Dan.
References: