Re: On the Use of SCTP with IPsec

[Mike Carney <carney@securecomputing.com>]

> 
> > But this reminds me of an issue that wasn't clear to me. In your
> > draft section 3.b you talk about IKE validating the phase 2
> > selectors,
> 
> My "regular bi-montly rant follows"... [about no policy in IKE :-]
> 
> One should not add more complexity to the IKE. Instead one should
> remove *ALL* selector information (that is used to check the policy)
> from IKE phase 2 negotiations.
> 
> The kernel checks the policy anyway (if it follows RFC2401 correctly),
> IKE doesn't need to to anything else but negotitiate the phase 2
> session keys.

Hmm, I guess I'm missing something...

   Lets say you are a VPN gateway developer who wishes to interoperate
with a VPN client.  The VPN client establishes a tunnel from a DHCP
assigned interface address using a virtual IP address inside the tunnel.  
How does the kernel discover what virtual address has been selected by
the client (currently the phase 2 identity) if IKE doesn't tell him?

Regards,
Michael Carney - Secure Computing Corporation.

> 
> In such architecture, IKE negotiation will succeed, even if the
> policies don't match, but the kernel checks will guarantee that
> invalid packets are dropped (and mismatched policy is detected that
> way).
> 
> -- 
> Markku Savela <Markku.Savela@iki.fi>
>

---

Follow-Ups:

• Re: On the Use of SCTP with IPsec
• From: Mike Ditto <ford@incog.com>

References:

• Re: On the Use of SCTP with IPsec
• From: Markku Savela <msa@burp.tkv.asdf.org>

---

• Prev by Date: Re: On the Use of SCTP with IPsec
• Next by Date: Re: On the Use of SCTP with IPsec
• Prev by thread: Re: On the Use of SCTP with IPsec
• Next by thread: Re: On the Use of SCTP with IPsec
• Index(es):
  • Main
  • Thread