Re: Out of Sync Security Policies - Design Flaw

["Kim Edwards" <kimed@nortelnetworks.com>]

Markku,

I cannot see how your solution will prevent the scenario I mentioned in
my first posting to the mailing list. The problem lies with the fact
that we are not negotiating policy selectors. Therefore, the responder
SA has different policy selectors than the initiator's SA which leads to
my initial problem of not negotiating a new IPsec SA for ICMP traffic.
The initiator will attempt to pass the ICMP traffic across the first SA
it negotiated, but the responder will discard this protected ICMP
traffic as the policy selectors in its SA are for TCP traffic only.

Markku Savela wrote:

 > > From: EXT Kim Edwards [mailto:kimed@nortelnetworks.com]
 > >> I believe that a third Id payload would be required:
 > >
 > > - Id payload for Initiator's security policy selectors
 > > - Id payload for Responder's security policy selectors
 > > - Id payload for Initiator's packet selectors
 >
 > Another solution is totally disable policy checking from IKE.
 >
 > Kernel has to do it anyway for each packet as described in RFC-2401.

Kim

---

Follow-Ups:

• RE: Out of Sync Security Policies - Design Flaw
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

• RE: Out of Sync Security Policies - Design Flaw
• From: "Markku Savela" <Markku.Savela@research.nokia.com>

---

• Prev by Date: RE: Out of Sync Security Policies - Design Flaw
• Next by Date: consistency in naming for elliptic curves...
• Prev by thread: RE: Out of Sync Security Policies - Design Flaw
• Next by thread: RE: Out of Sync Security Policies - Design Flaw
• Index(es):
  • Main
  • Thread