[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inconsistencies in IKE specs



On Tue, 24 Aug 1999 17:54:10 EDT John Shriver wrote
>    From: Dan Harkins <dharkins@network-alchemy.com>
>    On Tue, 24 Aug 1999 14:17:13 EDT you wrote
> 
>    > Personally, I think it would make a great deal of sense to say that
>    > Phase 2 ID's may only be ID_IPV4_ADDR or ID_IPV6_ADDR.  I'd really
>    > love to see more MUST NOT's in these specs.
> 
>    Limiting these to only a single IP addr would mean that IKE would be
>    unable to express selectors with wildcarded addresses. Since those
>    are required for all implementation (i.e. you MUST support them per 
>    RFC2401) I don't think it would make too much sense to remove support 
>    for them from RFC2409 (or the draft that will hopefully depricate RFC2409)
>.
> 
> Of course, allowing these to address a range or subnet means that you
> have just defined "incoming" SA's with the same SPI and key for a
> large group of hosts.  That's a very strange thing to do.  Broad key
> sharing is not considered good for you.

RFC2401 says that selectors with wildcarded addresss "are used to support 
more than one destination system sharing the same SA (e.g., behind a 
security gateway)." You may think it strange but for you to be a compliant
IPSec device this is what you MUST do. You also MUST verify that what you
take out of the tunnel matches what was negotiated, i.e. if IDi2 is 10.10.1/24
and IDr2 is 172.16.24/24 and what you take out is a packet from 10.10.1.87
to 172.16.23.8 you MUST drop it.

Compliance with RFC2401 is not elective, even if it seems strange to you.

> Perhaps we also should make it clear that ID_i2 and ID_r2 are the
> identity of the "outer" (endpoint) IP address when using transforms in
> tunnel mode.  Someone might mistakenly think that they are used to
> negotiate the inner addresses for tunnel mode, and that the outer
> remains the ISAKMP peer's address.

You have it backwards. IDi2 and IDr2 are used to define the inner addresses.
The outer addresses are always the IKE peers' addresses. Again, referring 
to RFC2401: "Note that this selector is conceptually different from the 
'Destination IP Address' field in the <Destination IP Address, IPsec Protocol,
SPI> tuple used to uniquely identify an SA."

  Dan.




References: