[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issues with IKE that need resolution
>>>>> "Pyda" == Pyda Srisuresh <suresh@livingston.com> writes:
Pyda> A policy that asserts what datagrams are allowed to be
Pyda> processed over an SA are not a local matter. Such a policy must
Pyda> be shared between the SA peers. Otherwise, what is stopping one
Pyda> end to use an SA to send any datgrams it chooses to forward to
Pyda> its peer, while the peer doesnt approve of these packets and
Pyda> simply drops or refuses to forward.
That doesn't justify making the policy shared state.
If at my end I have a policy that datagrams containing X aren't
allowed, it doesn't make any difference end to end whether I
communicate that fact to the other security gateway or not.
If I don't communicate it, I end up discarding packets containing X at
my end. If I *do* communicate it, then the other security gateway may
do the discarding for me. (But I may not want to count on that, so it
doesn't eliminate my own policy enforcement.)
In either case, packets containing X are discarded, so to the users of
those packets the result is the same -- no throughput. Which is what
the policy intended, so the right things happened.
If the only effect of communicating policy to the other end of the SA
is to move the point of discarding, it's clear to me that this should
not be done since it adds complexity to no purpose.
paul
--
!-----------------------------------------------------------------------
! Paul Koning, NI1D, D-20853
! Xedia Corporation, 119 Russell Street, Littleton, MA 01460, USA
! phone: +1 978 952 6000 ext 115, fax: +1 978 952 6090
! email: pkoning@xedia.com
! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75
!-----------------------------------------------------------------------
! "Among the many misdeeds of the British rule in India, history
! will look upon the Act depriving a whole nation of Arms, as
! the blackest" --- Mahatma Gandhi
Follow-Ups:
References: