[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 traffic selector subsetting.
On 19 Dec 2001, Derek Atkins wrote:
> What do traffic selectors really buy you in the face of
> locally-defined firewalling rules? I suppose it can be a "request" of
> your peer not to send you traffic that you plan to drop/ignore. But
> that's just a convenience for your sake; you still have to check every
> packet against your local inbound rules.
For the peer, it's more than just a convenience -- it's a guarantee that
errors of various kinds will not send packets into a black hole. The peer
has to decide *somehow* which packets go into the tunnel, and having that
independently configured on the two ends is asking for trouble.
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: