[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some queries regarding IP security

To: akrywaniuk@TimeStep.com
Subject: RE: Some queries regarding IP security
From: Paul Koning <pkoning@xedia.com>
Date: Mon, 15 Nov 1999 09:55:42 -0500
Cc: bill.strahm@intel.com, shganguly@hss.hns.com, ipsec@lists.tislabs.com
References: <319A1C5F94C8D11192DE00805FBBADDFF7A8C3@exchange>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Andrew" == Andrew Krywaniuk <akrywaniuk@TimeStep.com> writes:

 Andrew> I think you guys are missing the point of Shamik was
 Andrew> asking. Of course you have to check the SPD for every packet
 Andrew> to verify the IPs, ports, etc., but he was asking
 Andrew> specifically about verifying the order of SAs in a bundle.

 Andrew> I.e. if you negotiate to do IPCOMP ESP AH and the other guy
 Andrew> sends you a packet with ESP AH IPCOMP (not that this order
 Andrew> makes any sense), should you drop the packet?

Yes, you should.  Chances are you will not so much because of a policy 
that says "accept only what you negotiated" but simply because the
implementation flat out refuses to accept weird transform orders like
that. 

	paul

References:

RE: Some queries regarding IP security

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: RE: Some queries regarding IP security
Next by Date: Re: IKE negotiation/rekeying problem with RSIP
Prev by thread: RE: Some queries regarding IP security
Next by thread: ike and elliptic curves
Index(es):
- Main
- Thread