Re: IKEv2 traffic selector subsetting.

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: Henry Spencer <henry@spsystems.net>

> If the responder says "yes" to the initiator's request, then it should set
> up selectors which match the initiator's request!  Anything else is a bug.
> If the responder cannot comply *fully* with the request, its answer should
> be "no".

Hmm.. then, any sensible responder will have to say "NO" to any other
selectors, except at most the one that specifies exactly one pair of
hosts (initiator - responder).

As a responder, I wouldn't want a random initiator to dictate my
security requirements for any other host. (If I did that, someone
could just declare itself as a security gateway for 192/8 (any any
random range of addreses) and get all my traffict routed to itself...)

I must be missing something? What?

---

Follow-Ups:

• Re: IKEv2 traffic selector subsetting.
• From: Henry Spencer <henry@spsystems.net>

References:

• RE: IKEv2 traffic selector subsetting.
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: RE: IKEv2 traffic selector subsetting.
• Next by Date: Re: IKEv2 traffic selector subsetting.
• Prev by thread: RE: IKEv2 traffic selector subsetting.
• Next by thread: Re: IKEv2 traffic selector subsetting.
• Index(es):
  • Main
  • Thread