[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Don't remove TS from IKEv2

To: <sommerfeld@east.sun.com>, "IP Security List" <ipsec@lists.tislabs.com>
Subject: Re: Don't remove TS from IKEv2
From: "Rajesh Mohan" <rajesh.mohan@nexsi.com>
Date: Wed, 20 Mar 2002 11:22:14 -0800
References: <200203201622.g2KGM8gw011868@thunk.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

> The purpose of traffic selectors is *not* to modify the SPD, but
> rather to allow policy compatibility (or lack thereof) to be
> discovered sooner rather than later.
>

We cannot really negotiate traffic selectors through IKE. The only message
we will probably get is "NO PROPOSAL CHOSEN". At IPSec layer, TS serves as a
simple traffic filter firewall.

By removing TS completely, we can integrate firewall & vpn better and the
policy enforcer is as good as your firewall. For people without firewall
solution, adding traffic filter should be no big deal.

my 2 cents,
-Rajesh M







> While this is completely irrelevant for centrally-provisioned VPN's,
> it's extremely important for opportunistic use of IPsec between
> systems under heterogenous administration.
>
> I'd rather not see IPsec limited to VPN's, and as such strongly
> support the continued presence of traffic selectors in the protocol.
>
> - Bill
> (a solaris ipsec implementor)
>
>
>
>
>

Follow-Ups:
- Re: Don't remove TS from IKEv2
  - From: Jan Vilhuber <vilhuber@cisco.com>

References:
- Don't remove TS from IKEv2
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: analysis of the Fluhrer attack and some experiments
Next by Date: RE: Don't remove TS from IKEv2
Prev by thread: Don't remove TS from IKEv2
Next by thread: Re: Don't remove TS from IKEv2
Index(es):
- Date
- Thread