Re: IBM VPN Bakeoff Issues

[Daniel Harkins <dharkins@cisco.com>]

On Wed, 04 Nov 1998 14:07:46 EST you wrote
>
> > 16. If an initiator requests an SA with only a single IP address as
> > the destination, but the responder has a local policy of a subnet
> > (instead of a single IP address), should it fail the negotiation?
> >  Some vendors were doing this.
> 
> Yes, it should fail. Because then the initiator could then request another
> SA for the next IP address in the range the responder wanted to use in the
> first place. And then the next one. So you end up with a whole bunch of SAs
> that you don't need, and you may end up with a management issue that you
> didn't want. If your system is configured for a subnet, than that's probably
> what the administrator wants.

Whoa! I can deal with that management issue so I accept that offer. Provided 
the offer is wholly contained in my policy I'll accept it. If my policy says 
"anybody to 132.239.4.0/255.255.255.0" and someone offers "199.54.6.33 to 
132.239.4.18" that's what I'll add onto my SAs when I instantiate them. Then 
if 199.54.6.33 tries to send something to 132.239.4.50 on that SA I'll drop 
it (since it doesn't match the SA constraints we negotiated) even though it 
technically satisfies my policy. 

I'm being liberal in what I accept, provided it satisfies my configured policy 
that is. Yes, in certain situations I could end up with a whole slew of SAs 
when a single one would suffice. Oh well. That's the way it goes. 

I don't think we should dictate the behavior of an implementation in this 
fashion. 

  Dan.

---

References:

• Re: IBM VPN Bakeoff Issues
• From: Tim Jenkins <tjenkins@TimeStep.com>

---

• Prev by Date: Re: Comments on draft-ietf-ipsec-pki-req-01.txt
• Next by Date: Re: IBM VPN Bakeoff Issues
• Prev by thread: Re: IBM VPN Bakeoff Issues
• Next by thread: Re: IBM VPN Bakeoff Issues
• Index(es):
  • Main
  • Thread