[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: inbound policy verification
- To: IPsec WG List <ipsec@tis.com>
- Subject: Re: inbound policy verification
- From: Lewis McCarthy <lmccarth@cs.umass.edu>
- Date: Sat, 03 Oct 1998 17:33:10 -0400
- CC: Richard Draves <richdr@microsoft.com>
- Organization: Theoretical Computer Science Group, University of Massachusetts at Amherst
- References: <4D0A23B3F74DD111ACCD00805F31D8100AF81369@RED-MSG-50>
- Sender: owner-ipsec@ex.tis.com
Hi,
Richard Draves writes:
> Lewis, I don't understand one aspect of your proposed work-around for my
> example. If the administrator creates separate policies in the inbound SPD
> for each of the hosts X2, Y2, Z2, etc in network N2, then won't this mean
> that each of the hosts will need a different SA to send packets to H1?
> Whereas in my example, all the hosts in N2 (except H2) could share an SA.
> (Using "take-from-policy" for the source address selector with value N2 in
> the second policy in the inbound SPD.)
Right.
This can be mitigated to some extent by specifying multiple hosts in a single
selector using a _SUBNET or _RANGE ID Type (c.f. the IPsec DOI). But I agree
it would be convenient to be able to specify a more or less arbitrary set of
"atomic" IDs as the selector for a single SA. See the recent/current thread
with Subject: Re: multiple payloads via "ID_LIST"
for discussion of work on this issue.
> Thanks,
> Rich
-Lewis