RE: use of client IDs

[Bryan Gleeson <BGleeson@shastanets.com>]

Pyda,
 
> Trusting a peer node is different from figuring out whether a
> packet should be tunneled to the peer or not.  You cannot make 
> the assumption that your routing table will tell you whether or 
> not a packet should be tunneled to a peer, because you may not 
> be running routing protocols on top of the tunnels.

I think it is important to note that, as the architecture doc 
describes, there are logically separate SPDs for inbound and 
outbound traffic.

If A is establishing an IPSEC SA to B, then B could have a policy
that says "accept (source IP address) 0.0.0.0 on an SA from A" 
because it has already established a trust relationship with A and 
can rely on A to apply its own outbound policy on the SA. Now B 
could have an outbound policy which says, for example, "send packets 
destined to 1.1.1.0/24 and 1.1.2.0/24 to A ", but this is separate 
from the inbound policy. Having a finer granularity inbound policy 
on B, which explicitly lists the subnets allowed to source 
traffic is something that I think should be allowed, but not
required, because to do this requires, in effect, a policy exchange
protocol, so that B can verify the policy defined in the incoming
protocol message, with the policy defined in its SPD.   

Bryan

---

Follow-Ups:

• Re: use of client IDs
• From: Pyda Srisuresh <suresh@livingston.com>

---

• Prev by Date: Re: use of client IDs
• Next by Date: RE: use of client IDs
• Prev by thread: Re: use of client IDs
• Next by thread: Re: use of client IDs
• Index(es):
  • Main
  • Thread