[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: comments on VPN framework document




Dan,
  
> > If there was universal agreement on what this meant when you 
> > received it, there would not be a problem. However in previous
> > email on this topic it was asserted that this would imply that 
> > I had a default route pointing out the SA. 
> 
> What it's saying is that "I'm gonna stick anything I want 
> into this tunnel 
> and, likewise, I'll accept anything you choose to stick into 
> it". 

Having a policy, and signalling the policy to a remote party, are
two separate things. No matter what someone signals, you will 
always want to check what they actually send. Therefore the 
"I'll accept anything you choose to stick into it" is not
implied. A policy precedes (in time and importance) its 
signalling in any particular message. Thus it is more along
the lines of "I'm not telling you in this message what I'm
prepared to receive"   

[...]
> >                                            This is not true
> > if there are separate inbound and outbound policies, i.e.
> > just because I can receive from 'any' then it does not mean 
> > that I have to use that SA to send everything. 
> 
> But in your example you didn't know that at SA establishment time. How
> is this policy established if you didn't know what you could 
> route to in
> the first place?  

It is no different from any policy / access lists / firewalling
capability that I apply today to a link over which I'm routing
packets. 

> Are you dynamically modifying your IPSec policy based
> on routing updates? ("danger, danger, Will Robinson!")

No - there's no such implication that this is necessary
or desirable and I agree that would be a Bad Thing. 
(even Dr Smith agrees :-) 

Bryan


Follow-Ups: