[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: use of client IDs
Pyda,
> Trusting a peer node is different from figuring out whether a
> packet should be tunneled to the peer or not. You cannot make
> the assumption that your routing table will tell you whether or
> not a packet should be tunneled to a peer, because you may not
> be running routing protocols on top of the tunnels.
I think it is important to note that, as the architecture doc
describes, there are logically separate SPDs for inbound and
outbound traffic.
If A is establishing an IPSEC SA to B, then B could have a policy
that says "accept (source IP address) 0.0.0.0 on an SA from A"
because it has already established a trust relationship with A and
can rely on A to apply its own outbound policy on the SA. Now B
could have an outbound policy which says, for example, "send packets
destined to 1.1.1.0/24 and 1.1.2.0/24 to A ", but this is separate
from the inbound policy. Having a finer granularity inbound policy
on B, which explicitly lists the subnets allowed to source
traffic is something that I think should be allowed, but not
required, because to do this requires, in effect, a policy exchange
protocol, so that B can verify the policy defined in the incoming
protocol message, with the policy defined in its SPD.
Bryan
Follow-Ups: