[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On the Use of SCTP with IPsec

To: ipsec@lists.tislabs.com
Subject: Re: On the Use of SCTP with IPsec
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Wed, 28 Feb 2001 00:55:59 +0200
In-reply-to: <005201c09f64$9c008680$8a1b6e0a@arenanet.fi>(jari.arkko@kolumbus.fi)
References: <200102220339.f1M3d1g00023@coredump.cis.upenn.edu> <005201c09f64$9c008680$8a1b6e0a@arenanet.fi>
Reply-to: Markku.Savela@iki.fi
Sender: owner-ipsec@lists.tislabs.com


> But this reminds me of an issue that wasn't clear to me. In your
> draft section 3.b you talk about IKE validating the phase 2
> selectors,

My "regular bi-montly rant follows"... [about no policy in IKE :-]

One should not add more complexity to the IKE. Instead one should
remove *ALL* selector information (that is used to check the policy)
from IKE phase 2 negotiations.

The kernel checks the policy anyway (if it follows RFC2401 correctly),
IKE doesn't need to to anything else but negotitiate the phase 2
session keys.

In such architecture, IKE negotiation will succeed, even if the
policies don't match, but the kernel checks will guarantee that
invalid packets are dropped (and mismatched policy is detected that
way).

-- 
Markku Savela <Markku.Savela@iki.fi>

Follow-Ups:

Re: On the Use of SCTP with IPsec

From: Mike Carney <carney@securecomputing.com>

References:

Re: On the Use of SCTP with IPsec

From: "Angelos D. Keromytis" <angelos@keromytis.org>

Re: On the Use of SCTP with IPsec

From: "Jari Arkko" <jari.arkko@kolumbus.fi>

Prev by Date: OPSF DOI RFC ?
Next by Date: Re: On the Use of SCTP with IPsec
Prev by thread: Re: On the Use of SCTP with IPsec
Next by thread: Re: On the Use of SCTP with IPsec
Index(es):
- Main
- Thread