[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on VPN framework document

To: Bryan Gleeson <BGleeson@shastanets.com>
Subject: Re: comments on VPN framework document
From: Daniel Harkins <dharkins@cisco.com>
Date: Mon, 12 Oct 1998 13:56:09 -0700
cc: Bernard Aboba <aboba@internaut.com>, Stephen Waters <Stephen.Waters@digital.com>, "Frank O'Dwyer" <fod@brd.ie>, ipsec@tis.com, l2tp@zendo.com, vpn@BayNetworks.COM
In-reply-to: Your message of "Mon, 12 Oct 1998 13:33:09 PDT." <EBE4A6EB7EB0D1118D1C00A0C9831332556DB5@shasta-pc.shastanets.com>
Sender: owner-ipsec@ex.tis.com

  Bryan,

  Attempting to use a layer 3 security protocol to provide what is,
in effect, layer 2 security is going to be problematic. No doubt about it.
If you're deadset on doing this why not use a proxy identity type of subnet
whose value is 0.0.0.0/0.0.0.0?

  Or why not just use the right tool for the right job: a link encryptor.

  Dan.

On Mon, 12 Oct 1998 13:33:09 PDT you wrote
> 
> Take a basic networking task (nothing to do 
> with IPSEC) of configuring a point to point 
> link (e.g. an ATM PVC) between two routers.
> When I configure the link I don't need to 
> know the set of layer 3 packets that will at a
> later point travel over the link. Instead a
> set of packets, determined by a dynamic routing
> protocol, will be sent over the link, and this
> may change over time. So the steps are
> 
> - configure the layer 2 link
> - turn on routing over this link
> - packets get sent on the link
> 
> Now the problem with using an IPSEC tunnel in
> this way is that it is currently a requirement
> that when an SA is established between two
> routers (security gateways), it is necessary 
> to specify the set of IP packets that will 
> be sent over the SA - the proxy IDs (IDci and
> IDcr) in a Quick Mode message must be non zero.
> If you haven't, at this point, even turned on
> routing to run over this IP tunnel link, then
> you don't know what the set of packets will be.
> 
> A mode of operation that allowed these fields
> to be unspecified would solve the problem. The
> security policy to be applied on the SA (by
> the receiver of the SA) could be determined 
> by the identify of the Phase 1 negotiator,
> possibly in conjunction with extra information
> (such as a VPN-ID) conveyed before the Phase 
> 2 exchange. Essentially this is a policy issue.
> The policy to be applied on a Phase 2 SA, should 
> not have to be signalled in the establishment of
> the SA. We should allow the identification of
> the policy to be applied to be based on information
> other than the source and destination IP addresses
> of the packets that will be sent over the SA. This
> becomes particularly important if you are running a 
> network where there are multiple domains (e.g VPNs)
> all using the same address space (e.g. 10.0.0.0/8).
> 
> Bryan 
>

Follow-Ups:

Re: comments on VPN framework document

From: Paul Krumviede <paul@mci.net>

References:

RE: comments on VPN framework document

From: Bryan Gleeson <BGleeson@shastanets.com>

Prev by Date: Re: comments on VPN framework document
Next by Date: RE: comments on VPN framework document
Prev by thread: RE: comments on VPN framework document
Next by thread: Re: comments on VPN framework document
Index(es):
- Main
- Thread