[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: inbound policy verification
> Your policy entry for N2 needs to be narrowed to achieve the
> exclusion you
> want. Instead of a policy entry that specifies that the
> "wrong" parameters can
> be used in communicating with *any* host in network N2, that
> entry needs to
> specify that the "wrong" parameters can be used in
> communicating with hosts
> X2, Y2, Z2, etc. (Recently there's been some discussion on
> the list about
> increasing the expressiveness of the ID syntax to make it
> simpler to specify
> policies covering nontrivial combinations of hosts, subnets, etc.)
So let me state my current understanding: The outbound SPD is ordered and it
must be searched in order for the first policy whose selectors match the
outbound packet. The inbound SPD is effectively not ordered and it is
searched until either a policy is found to accept the incoming packet or
until all policies have been checked. So there's an asymmetry here in the
semantics, and a real difference in the expressiveness of the outbound and
inbound SPDs. In the outbound SPD, an administrator can put a more-specific
policy ahead of a more-general policy and have the more-specific policy
enforced. But in the inbound SPD, the combination of a more-specific policy
and a more-general policy will not be enforced.
Lewis, I don't understand one aspect of your proposed work-around for my
example. If the administrator creates separate policies in the inbound SPD
for each of the hosts X2, Y2, Z2, etc in network N2, then won't this mean
that each of the hosts will need a different SA to send packets to H1?
Whereas in my example, all the hosts in N2 (except H2) could share an SA.
(Using "take-from-policy" for the source address selector with value N2 in
the second policy in the inbound SPD.)
Thanks,
Rich