[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on VPN framework document



  Bryan,

On Mon, 12 Oct 1998 15:15:44 PDT you wrote
>
> >   Attempting to use a layer 3 security protocol to provide what is,
> > in effect, layer 2 security is going to be problematic. No 
> > doubt about it.
> > If you're deadset on doing this why not use a proxy identity 
> > type of subnet
> > whose value is 0.0.0.0/0.0.0.0?
> 
> If there was universal agreement on what this meant when you 
> received it, there would not be a problem. However in previous
> email on this topic it was asserted that this would imply that 
> I had a default route pointing out the SA. 

What it's saying is that "I'm gonna stick anything I want into this tunnel 
and, likewise, I'll accept anything you choose to stick into it". In your 
example you wanted to configure a point-to-point link without knowing 
anything about the packets that would traverse the link; you wanted to do
IPSec on IP packets without having to know the addressing of those packets. 
Having proxy IDs of "any to any" is a way to do this. If you have a routing 
table then you obviously care about the addressing of those packets and
"any any" is not what you want. But that's a different scenario then what
you described.

And I don't know if there's universal agreement on this. I'm not sure
whether those proxy IDs would be accepted by various implementations. 
"Encrypt anything and everything and send it to this single peer" may not
be something every implementation can express. You can do it on my
implementation but 99% of the time someone does it's not what they really
intended and they're surprised by the result.

>                                            This is not true
> if there are separate inbound and outbound policies, i.e.
> just because I can receive from 'any' then it does not mean 
> that I have to use that SA to send everything. 

But in your example you didn't know that at SA establishment time. How
is this policy established if you didn't know what you could route to in
the first place? Are you dynamically modifying your IPSec policy based
on routing updates? ("danger, danger, Will Robinson!")

  Dan.



References: