[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On the Use of SCTP with IPsec
>
> > But this reminds me of an issue that wasn't clear to me. In your
> > draft section 3.b you talk about IKE validating the phase 2
> > selectors,
>
> My "regular bi-montly rant follows"... [about no policy in IKE :-]
>
> One should not add more complexity to the IKE. Instead one should
> remove *ALL* selector information (that is used to check the policy)
> from IKE phase 2 negotiations.
>
> The kernel checks the policy anyway (if it follows RFC2401 correctly),
> IKE doesn't need to to anything else but negotitiate the phase 2
> session keys.
Hmm, I guess I'm missing something...
Lets say you are a VPN gateway developer who wishes to interoperate
with a VPN client. The VPN client establishes a tunnel from a DHCP
assigned interface address using a virtual IP address inside the tunnel.
How does the kernel discover what virtual address has been selected by
the client (currently the phase 2 identity) if IKE doesn't tell him?
Regards,
Michael Carney - Secure Computing Corporation.
>
> In such architecture, IKE negotiation will succeed, even if the
> policies don't match, but the kernel checks will guarantee that
> invalid packets are dropped (and mismatched policy is detected that
> way).
>
> --
> Markku Savela <Markku.Savela@iki.fi>
>
Follow-Ups:
References: