[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cisco "dynamic-map"s



Hello Joshua,

This is a bit implementation specific.

The dynamic map is geared for remote access where the source IP is
unknown - hence the reason for assigning last - "If you don't know the
peer by not matching set static maps allow them to communicate using
a dynamic map". If you want to limit it, add the accepted IP addresses
to the ACL 103. In other words, you know that
all your remote users are on cable modems - enter permit 24.0.0.0
0.255.255.255 - or something along those lines.

If you want to limit access to known the IP address you could just use
expanded static maps.

my $0.02

-jim


Friday, July 28, 2000, 4:05:03 PM, you wrote:

JDG> I'd be grateful for information about a particular aspect of Cisco's
JDG> implementation.  

JDG> A Cisco configuration file can use the key word dynamic-map, as in 

JDG>    crypto dynamic-map mydynamicmap 10
JDG>     match address 103
JDG>     set transform-set my_t_set1 my_t_set2 my_t_set3


JDG> (quoted from
JDG> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt4/srdipsec.htm) 

JDG> What this means is that a peer will be allowed to initiate an IPsec
JDG> tunnel for certain packets.  *Which* packets is determined by the
JDG> "match address 103" line; it means the set of packets accepted by
JDG> access list number 103, which would be defined elsewhere in the file.  
JDG> Then those packets will be subjected to the one of the named
JDG> my_t_set_i sets of transforms.  

JDG> My question is this:  Is there any way to constrain which *peers* can
JDG> initiate tunnels for these packets?

JDG> For instance, if all the packets accepted by access list 103 have
JDG> source address in a particular class C network, then I might want to
JDG> stipulate that the peer should have an address in that network too
JDG> (any address in that network would be OK).  

JDG> I might not want a peer in one class C network "authenticating"
JDG> packets that purportedly come from a different class C network.  Even
JDG> if I have a reliable public key for the peer.

JDG> In fact, if it's not possible to prevent this, it would seem to me an
JDG> unsafe mechanism.  

JDG> I hope that this is not too implementation-specific a question for
JDG> this list.  I have sent the question here because it's really about
JDG> how to use IPsec mechanisms to achieve reasonable packet-level access
JDG> control.  

JDG> Thanks.

JDG>         Joshua 





References: