[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Client ID 0.0.0.0 Question
Andrew Sweeney wrote:
>
> Hi,
>
> I am a gateway running in tunnel mode.
>
> What does an advertised client ID of 0.0.0.0 type IPV4_ADDR or
> 0.0.0.0/0.0.0.0 type IPV4_SUBNET mean?
>
> It is my belief that this is telling me that the SA being established
> allows access to all networks that my gateway knows about.
>
> Is this correct?
>
> Andy
Personally, I think that this is illegal. From RFC2409,
The identities of the SAs negotiated in Quick Mode are implicitly
assumed to be the IP addresses of the ISAKMP peers, without any
implied constraints on the protocol or port numbers allowed, unless
client identifiers are specified in Quick Mode. If ISAKMP is acting
as a client negotiator on behalf of another party, the identities of
the parties MUST be passed as IDci and then IDcr. Local policy will
dictate whether the proposals are acceptable for the identities
specified. If the client identities are not acceptable to the Quick
Mode responder (due to policy or other reasons), a Notify payload
with Notify Message Type INVALID-ID-INFORMATION (18) SHOULD be sent.
If you specify 0.0.0.0, you are claiming to be representing *everyone*
else, including me.
Scott
References: