Re: IKEv2 traffic selector subsetting.

[Derek Atkins <warlord@mit.edu>]

Henry Spencer <henry@spsystems.net> writes:

> On 19 Dec 2001, Derek Atkins wrote:
> > What do traffic selectors really buy you in the face of
> > locally-defined firewalling rules?  I suppose it can be a "request" of
> > your peer not to send you traffic that you plan to drop/ignore.  But
> > that's just a convenience for your sake; you still have to check every
> > packet against your local inbound rules.
> 
> For the peer, it's more than just a convenience -- it's a guarantee that
> errors of various kinds will not send packets into a black hole.  The peer
> has to decide *somehow* which packets go into the tunnel, and having that
> independently configured on the two ends is asking for trouble. 

Why?  I send you what I plan to accept; you send me what you plan to
accept.  Nothing says that these two statements of acceptance have to
agree, and nothing states that you have to actually comply.

Basically, you're saying that I need to send you the equivalent of all
the firewall rules that affect you?

>                                                           Henry Spencer
>                                                        henry@spsystems.net

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

Follow-Ups:

• Re: IKEv2 traffic selector subsetting.
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: IKEv2 traffic selector subsetting.
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: IKEv2 traffic selector subsetting.
• Next by Date: Re: Should Alice say who she wants to talk to?
• Prev by thread: Re: IKEv2 traffic selector subsetting.
• Next by thread: Re: IKEv2 traffic selector subsetting.
• Index(es):
  • Main
  • Thread