[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Client ID 0.0.0.0 Question

To: Andrew Sweeney <andy@assured-digital.com>
Subject: Re: Client ID 0.0.0.0 Question
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Fri, 26 Feb 1999 14:03:56 -0800
CC: "ipsec@tis.com" <ipsec@tis.com>
Organization: RedCreek Communications
References: <36D6ED25.CC4DDC78@assured-digital.com>
Sender: owner-ipsec@ex.tis.com

Andrew Sweeney wrote:
> 
> Hi,
> 
> I am a gateway running in tunnel mode.
> 
> What does an advertised client ID of 0.0.0.0 type IPV4_ADDR  or
> 0.0.0.0/0.0.0.0  type IPV4_SUBNET mean?
> 
> It is my belief that this is telling me that the SA being established
> allows access to all networks that my gateway knows about.
> 
> Is this correct?
> 
> Andy

Personally, I think that this is illegal. From RFC2409,

   The identities of the SAs negotiated in Quick Mode are implicitly
   assumed to be the IP addresses of the ISAKMP peers, without any
   implied constraints on the protocol or port numbers allowed, unless
   client identifiers are specified in Quick Mode.  If ISAKMP is acting
   as a client negotiator on behalf of another party, the identities of
   the parties MUST be passed as IDci and then IDcr.  Local policy will
   dictate whether the proposals are acceptable for the identities
   specified.  If the client identities are not acceptable to the Quick
   Mode responder (due to policy or other reasons), a Notify payload
   with Notify Message Type INVALID-ID-INFORMATION (18) SHOULD be sent.

If you specify 0.0.0.0, you are claiming to be representing *everyone*
else, including me.

Scott

References:

Client ID 0.0.0.0 Question

From: Andrew Sweeney <andy@assured-digital.com>

Prev by Date: Re: Looking for an IPsec packet analyzer
Next by Date: RE: Looking for an IPsec packet analyzer
Prev by thread: Client ID 0.0.0.0 Question
Next by thread: draft-irtf-smug-gsadef-00.txt
Index(es):
- Main
- Thread