[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

To: Charles Kunzinger <kunzinge@us.ibm.com>
From: Daniel Harkins <dharkins@cisco.com>
Date: Thu, 05 Nov 1998 08:53:46 -0800
cc: ipsec@tis.com
In-reply-to: Your message of "Thu, 05 Nov 1998 08:56:17 EST." <199811051356.IAA02475@portal.ex.tis.com>
Sender: owner-ipsec@ex.tis.com

On Thu, 05 Nov 1998 08:56:17 EST you wrote
> 
> 11.  If L2TP and IPSec are used in conjuc=nction, and there is no ID payload 
>in
> the
> IKE Phase 2 exchanges, should the default be to a)apply IPSec protection to a
>ll
> IP
> packets, b) apply IPSec protection only to packets going through the L2TP
> tunnel,
> or c) reject the SA proposal?
>  Consensus appeared to be that only the "tunneled" traffic should get
> IPSec
>  protection.

  I'm sorry to go against consensus but the draft (when can I start saying
RFC?) is specific about this behavior. I originally had some tangled verbage
on what it meant without client IDs in Quick Mode. Due to WG input it was
rewritten to state the following (this in section 5.5 of IKE):

	The identities of the SAs negotiated in Quick Mode are implicitly
	assumed to be the IP addresses of the ISAKMP peers, without any
	implied constraints on the protocol or port numbers allowed, unless
	client identifiers are specified in Quick Mode.

This is then overridden by any information in the client identities. So
if there are no client identities the SA is for the whole IP address of
the peer with no constraining port/protocol information. It doesn't matter
if you're doing L2TP or not. In fact, if you're not passing client IDs
how can the peer know your intent is to do L2TP and decide to accept
cleartext packets for everything except UDP port 1701?

  Dan.

References:

No Subject

From: owner-ipsec@ex.tis.com

Prev by Date: RE: IKE vs ISAKMP/Oakley
Next by Date: RE: IBM VPN Bakeoff Issues
Prev by thread: No Subject
Next by thread: No Subject
Index(es):
- Main
- Thread