[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with IKE that need resolution



-----BEGIN PGP SIGNED MESSAGE-----



>>>>> "Pyda" == Pyda Srisuresh <suresh@livingston.com> writes:

    Pyda> A policy that asserts what datagrams are allowed to be
    Pyda> processed over an SA are not a local matter. Such a policy must
    Pyda> be shared between the SA peers. Otherwise, what is stopping one
    Pyda> end to use an SA to send any datgrams it chooses to forward to
    Pyda> its peer, while the peer doesnt approve of these packets and
    Pyda> simply drops or refuses to forward.

>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
    Paul> That doesn't justify making the policy shared state.

    Paul> If at my end I have a policy that datagrams containing X aren't
    Paul> allowed, it doesn't make any difference end to end whether I
    Paul> communicate that fact to the other security gateway or not.

  While this applies to things that you want to discard (negative policy), it
does not apply to things that you want to be transmitted (positive policy).
  Since most of us security types start with *no* traffic of any kind passing
and then enable it bit by bit, being able to communicate positive protocol is
of utmost importance. I'd say that the it sums up the ICMP work completely.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNgrP1diXVu0RiA21AQE2HwL+JQwYuRaWKg6deEhrFeJavWJWUFKn14b+
JEzhlvGhVIkJZo+BvIGuOzyf/0lhjCK6Zy3vC6Aihgqi6Vk9eAlD4q+Bvu010hqI
i8u1EnKFpPHJS61I7ILFmkKd/iayVX4b
=t8GN
-----END PGP SIGNATURE-----


References: