[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cisco "dynamic-map"s
I'd be grateful for information about a particular aspect of Cisco's
implementation.
A Cisco configuration file can use the key word dynamic-map, as in
crypto dynamic-map mydynamicmap 10
match address 103
set transform-set my_t_set1 my_t_set2 my_t_set3
(quoted from
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt4/srdipsec.htm)
What this means is that a peer will be allowed to initiate an IPsec
tunnel for certain packets. *Which* packets is determined by the
"match address 103" line; it means the set of packets accepted by
access list number 103, which would be defined elsewhere in the file.
Then those packets will be subjected to the one of the named
my_t_set_i sets of transforms.
My question is this: Is there any way to constrain which *peers* can
initiate tunnels for these packets?
For instance, if all the packets accepted by access list 103 have
source address in a particular class C network, then I might want to
stipulate that the peer should have an address in that network too
(any address in that network would be OK).
I might not want a peer in one class C network "authenticating"
packets that purportedly come from a different class C network. Even
if I have a reliable public key for the peer.
In fact, if it's not possible to prevent this, it would seem to me an
unsafe mechanism.
I hope that this is not too implementation-specific a question for
this list. I have sent the question here because it's really about
how to use IPsec mechanisms to achieve reasonable packet-level access
control.
Thanks.
Joshua
--
Joshua D. Guttman <guttman@mitre.org>
MITRE, Mail Stop A150
202 Burlington Rd. Tel: +1 781 271 2654
Bedford, MA 01730-1420 USA Fax: +1 781 271 3816
Follow-Ups: