[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issues with IKE that need resolution
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Pyda" == Pyda Srisuresh <suresh@livingston.com> writes:
Pyda> A policy that asserts what datagrams are allowed to be
Pyda> processed over an SA are not a local matter. Such a policy must
Pyda> be shared between the SA peers. Otherwise, what is stopping one
Pyda> end to use an SA to send any datgrams it chooses to forward to
Pyda> its peer, while the peer doesnt approve of these packets and
Pyda> simply drops or refuses to forward.
>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
Paul> That doesn't justify making the policy shared state.
Paul> If at my end I have a policy that datagrams containing X aren't
Paul> allowed, it doesn't make any difference end to end whether I
Paul> communicate that fact to the other security gateway or not.
While this applies to things that you want to discard (negative policy), it
does not apply to things that you want to be transmitted (positive policy).
Since most of us security types start with *no* traffic of any kind passing
and then enable it bit by bit, being able to communicate positive protocol is
of utmost importance. I'd say that the it sums up the ICMP work completely.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNgrP1diXVu0RiA21AQE2HwL+JQwYuRaWKg6deEhrFeJavWJWUFKn14b+
JEzhlvGhVIkJZo+BvIGuOzyf/0lhjCK6Zy3vC6Aihgqi6Vk9eAlD4q+Bvu010hqI
i8u1EnKFpPHJS61I7ILFmkKd/iayVX4b
=t8GN
-----END PGP SIGNATURE-----
References: