[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Out of Sync Security Policies - Design Flaw

To: <ipsec@lists.tislabs.com>
Subject: RE: Out of Sync Security Policies - Design Flaw
From: "Markku Savela" <Markku.Savela@research.nokia.com>
Date: Tue, 7 Nov 2000 17:01:10 +0200
Importance: Normal
In-Reply-To: <3A07FE1F.A802C7DC@americasm01.nt.com>
Sender: owner-ipsec@lists.tislabs.com

> From: EXT Kim Edwards [mailto:kimed@nortelnetworks.com]
>> I believe that a third Id payload would be required:
> 
> - Id payload for Initiator's security policy selectors
> - Id payload for Responder's security policy selectors
> - Id payload for Initiator's packet selectors

Another solution is totally disable policy checking from IKE.

Kernel has to do it anyway for each packet as described in RFC-2401.

Follow-Ups:

Re: Out of Sync Security Policies - Design Flaw

From: "Kim Edwards" <kimed@nortelnetworks.com>

References:

Re: Out of Sync Security Policies - Design Flaw

From: "Kim Edwards" <kimed@nortelnetworks.com>

Prev by Date: Re: Out of Sync Security Policies - Design Flaw
Next by Date: Re: Out of Sync Security Policies - Design Flaw
Prev by thread: Re: Out of Sync Security Policies - Design Flaw
Next by thread: Re: Out of Sync Security Policies - Design Flaw
Index(es):
- Main
- Thread