[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: SPD & IKE phase2 IDs

To: ipsec@lists.tislabs.com
Subject: Re: Q: SPD & IKE phase2 IDs
From: Joern Sierwald <joern.sierwald@F-Secure.com>
Date: Mon, 06 Mar 2000 13:58:01 +0100
In-Reply-To: <200003061204.VAA02636@orange.ap.paso.fujitsu.co.jp>
Sender: owner-ipsec@lists.tislabs.com

At 21:05 6.3.2000 +0900, you wrote:
>Q: SPD & IKE phase2 IDs 
>
>I have some questions about SPD & IKE phase2 IDs. 
>
>Which implementation is better No.1 or No.2 in the example below?
>In other words, which is 'MUST'?
>
>

There is no MUST here. The policy on GW1 might say "Do QM with
the nets" or "Do QM only with host pairs". Or the 
GW1 does not have a policy setting at all, so it does it
always in one way or the other.

There no "better" here, either. QM with host pair will
give an attacker headaches because there's a lot keys
to crack and less traffic per SA. On the other hand, 
You might get _a_lot_ of QMs, and memory consumption
goes up.

We have a setting for this, it even goes down to
protocols and ports, so if send a ping, the GW1
will only make a QM for ICMP. Only useful for stress
tests, really.

The same problem appears on the responder side, it is
a common implementation (at the interops, anyway) to
allow QM to a subnet of the configured net.
So even if GW2 would do QM with 192.168.20.0/28 
to 192.168.21.1-192.168.21.5, GW1 would accept that.

Jörn

References:

Q: SPD & IKE phase2 IDs

From: Ichiro MIYAJIMA <miyajima@paso.fujitsu.co.jp>

Prev by Date: Re: Q: SPD & IKE phase2 IDs
Next by Date: Re: ipsec NICs?
Prev by thread: Re: Q: SPD & IKE phase2 IDs
Next by thread: Virtual adapters
Index(es):
- Main
- Thread