Re: comments on VPN framework document

[Daniel Harkins <dharkins@cisco.com>]

  Bryan,

On Mon, 12 Oct 1998 20:43:21 PDT you wrote
> > >                                            This is not true
> > > if there are separate inbound and outbound policies, i.e.
> > > just because I can receive from 'any' then it does not mean 
> > > that I have to use that SA to send everything. 
> > 
> > But in your example you didn't know that at SA establishment time. How
> > is this policy established if you didn't know what you could 
> > route to in
> > the first place?  
> 
> It is no different from any policy / access lists / firewalling
> capability that I apply today to a link over which I'm routing
> packets. 

I'm missing something here. You said you were establishing an IPSec tunnel
as a point-to-point link in which you didn't know and didn't want/need to 
know what packets were being sent through it. That's *very* different than
a typical access-list or firewall policy which cares very much about the
addresses and port/protocol of the packets being sent through it. So
if you don't know what the IP addresses are going to be apriori (your
example that started this) then how are you defining your access-lists? 
What sort of firewall policy do you have that doesn't care about addressing? 
"permit all" or "forbid all" are very degenerate and pointless policies. 

  Dan.

---

Follow-Ups:

• Re: comments on VPN framework document
• From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

• RE: comments on VPN framework document
• From: Bryan Gleeson <BGleeson@shastanets.com>

---

• Prev by Date: RE: comments on VPN framework document
• Next by Date: RE: inbound policy verification
• Prev by thread: RE: comments on VPN framework document
• Next by thread: Re: comments on VPN framework document
• Index(es):
  • Main
  • Thread