[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 traffic selector subsetting.

To: Derek Atkins <warlord@mit.edu>
Subject: Re: IKEv2 traffic selector subsetting.
From: Henry Spencer <henry@spsystems.net>
Date: Wed, 19 Dec 2001 12:59:12 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <sjm1yhr2kl7.fsf@benjamin.ihtfp.org>
Sender: owner-ipsec@lists.tislabs.com

On 19 Dec 2001, Derek Atkins wrote:
> What do traffic selectors really buy you in the face of
> locally-defined firewalling rules?  I suppose it can be a "request" of
> your peer not to send you traffic that you plan to drop/ignore.  But
> that's just a convenience for your sake; you still have to check every
> packet against your local inbound rules.

For the peer, it's more than just a convenience -- it's a guarantee that
errors of various kinds will not send packets into a black hole.  The peer
has to decide *somehow* which packets go into the tunnel, and having that
independently configured on the two ends is asking for trouble. 

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: IKEv2 traffic selector subsetting.

From: Derek Atkins <warlord@mit.edu>

References:

Re: IKEv2 traffic selector subsetting.

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: Michael's comments on ikev2 draft
Next by Date: Re: IKEv2 traffic selector subsetting.
Prev by thread: Re: IKEv2 traffic selector subsetting.
Next by thread: Re: IKEv2 traffic selector subsetting.
Index(es):
- Main
- Thread