[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: using por numbers in selectors



I think that there are situations where it is reasonable for the responder
to demand an exact 5 tuple match; but there are also cases where the
responder may require the initiator to propose one address out of the
network that is defined in the policy.

The first case may arise in gateway-gateway vpns, where it is reasonable to
want 1 SA per network; else an SA explosion may occur.

The second case may arise in client-gateway vpns (where ip addresses can be
used to define policies, e.g. cable modem). The policy may be broad but the
initiator must initiate for itself. I think it is hard to make a case for
accepting scoped down all other fields other than src address.

In the ldap ipsec policy draft, we specify a flag that if set, required the
responder to
accept only one address out of the src address for the policy.

Partha.

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Dan Harkins
> Sent: Tuesday, June 22, 1999 11:11 AM
> To: Scott G. Kelly
> Cc: ipsec@lists.tislabs.com
> Subject: Re: using por numbers in selectors
>
>
>   I may regret opening this up again but....
>
>   So what are you going to do if you're locally configured for, say,
> "all tcp traffic" or "all IP traffic" and someone gives you an offer
> of "tcp port X"? Refuse it?
>
>   Similarly, what do you do if you're configured for "all IP to the
> 10.20.30/24 network" and someone gives you an offer to 10.20.30.87?
> Do you refuse it?
>
>   Dan.
>
> On Tue, 22 Jun 1999 10:16:40 PDT you wrote
> > "Steven M. Bellovin" wrote:
> > >
> > > Do any commercial IPSEC implementations use port numbers in their
> > > policy databases?  The ones I've looked at this far seem to use only
> > > IP addresses.
> >
> > RedCreek will be supporting ports in an upcoming release.
>



References: