Re: IKEv2 traffic selector subsetting.

[Derek Atkins <warlord@mit.edu>]

Steve,

Stephen Kent <kent@bbn.com> writes:

> We have maintained that the SA binding for a packet must be 
> maintained to ensure that the firewall-style rule checks are applied 
> to packets in the context of the SAs with which the rules are 
> associated.

What I don't understand is why this 'binding' needs to be agreed upon?
The binding of the packet to the SA is quite easy -- the packet is
encrypted/signed under the ESP/AH key negotiated earlier.  If the
"firewall" rules are locally defined, then isn't it sufficient to know
within the IPsec/firewall processing that a particular inbound packet
is associated with SA #x?

What do traffic selectors really buy you in the face of
locally-defined firewalling rules?  I suppose it can be a "request" of
your peer not to send you traffic that you plan to drop/ignore.  But
that's just a convenience for your sake; you still have to check every
packet against your local inbound rules.

> Steve

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

Follow-Ups:

• Re: IKEv2 traffic selector subsetting.
• From: Henry Spencer <henry@spsystems.net>

References:

• RE: IKEv2 traffic selector subsetting.
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
• RE: IKEv2 traffic selector subsetting.
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: IKE v2 Requirements and backwards compatability
• Next by Date: Re: Michael's comments on ikev2 draft
• Prev by thread: RE: IKEv2 traffic selector subsetting.
• Next by thread: Re: IKEv2 traffic selector subsetting.
• Index(es):
  • Main
  • Thread