[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 traffic selector subsetting.
Steve,
Stephen Kent <kent@bbn.com> writes:
> We have maintained that the SA binding for a packet must be
> maintained to ensure that the firewall-style rule checks are applied
> to packets in the context of the SAs with which the rules are
> associated.
What I don't understand is why this 'binding' needs to be agreed upon?
The binding of the packet to the SA is quite easy -- the packet is
encrypted/signed under the ESP/AH key negotiated earlier. If the
"firewall" rules are locally defined, then isn't it sufficient to know
within the IPsec/firewall processing that a particular inbound packet
is associated with SA #x?
What do traffic selectors really buy you in the face of
locally-defined firewalling rules? I suppose it can be a "request" of
your peer not to send you traffic that you plan to drop/ignore. But
that's just a convenience for your sake; you still have to check every
packet against your local inbound rules.
> Steve
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: