[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 traffic selector subsetting.
On Tue, 25 Dec 2001, Markku Savela wrote:
> > If the responder says "yes" to the initiator's request, then it should set
> > up selectors which match the initiator's request! Anything else is a bug.
> > If the responder cannot comply *fully* with the request, its answer should
> > be "no".
>
> Hmm.. then, any sensible responder will have to say "NO" to any other
> selectors, except at most the one that specifies exactly one pair of
> hosts (initiator - responder).
I don't see how this follows. Certainly the responder will have to know
which hosts it can act on behalf of, and which hosts a particular initiator
can plausibly act on behalf of, and limit itself to tunnels which fit those
constraints. But those sets don't have to include only the responder and
initiator themselves.
> As a responder, I wouldn't want a random initiator to dictate my
> security requirements for any other host. (If I did that, someone
> could just declare itself as a security gateway for 192/8 (any any
> random range of addreses) and get all my traffict routed to itself...)
Indeed so. But that just says that the responder has to have either some
knowledge of which hosts are behind which initiators, or some way to ask
for validation of a particular initiator request. There is nothing
conceptually difficult about this.
Moreover, I don't see how you avoid such a requirement in any case. How
do you know which traffic you can safely route into a particular tunnel
without knowing which hosts are *legitimately* on the other end? This
would seem to be a fundamental necessity regardless. It is outside the
scope of IPsec only if you decide that the routing is somebody else's
problem -- that is, if a crucial part of IP security is not IPsec's
business.
Henry Spencer
henry@spsystems.net
References: