[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: Michael Richardson <mcr@solidum.com>
Subject: Re: Heartbeats Straw Poll
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Tue, 08 Aug 2000 17:15:15 -0400
Cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 08 Aug 2000 11:39:07 EDT." <200008081539.LAA11332@solidum.com>
Sender: owner-ipsec@lists.tislabs.com


In message <200008081539.LAA11332@solidum.com>, Michael Richardson writes:
>
>  The source address of the ICMP ping that the gateway sends can be whatever
>is necessary to fit into the existing SA.
>  If the existing SA is a protocol specific, or port-specific SA that does
>not permit ICMP, then you can't use this. I do not believe that there are any
>currently deployed situations where people are using such policies, and I
>have long argued that certain ICMP should permitted by such a policy in any
>case.

>From my experience, a number of commercial firewalls with IPsec support make
that assumption implicitly (that an SA negotiated for traffic between two
nets can also be used for traffic between the two gateways).
-Angelos

References:

Re: Heartbeats Straw Poll

From: Michael Richardson <mcr@solidum.com>

Prev by Date: Re: Heartbeats Straw Poll
Next by Date: Re: Heartbeats Straw Poll
Prev by thread: Re: Heartbeats Straw Poll
Next by thread: Re: Heartbeats Straw Poll
Index(es):
- Main
- Thread