[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Don't remove TS from IKEv2
Bill's point, I think, is that in the absence of a well-defined and
widely deployed policy distribution protocol, the TS payloads provide
a simple and effective way of making sure that your traffic will in
fact be accepted by the peer. Otherwise, your chances of creating
black-hole tunnels increases dramatically.
I'm for keeping TS payloads.
jan
On Wed, 20 Mar 2002, Rajesh Mohan wrote:
> > The purpose of traffic selectors is *not* to modify the SPD, but
> > rather to allow policy compatibility (or lack thereof) to be
> > discovered sooner rather than later.
> >
>
> We cannot really negotiate traffic selectors through IKE. The only message
> we will probably get is "NO PROPOSAL CHOSEN". At IPSec layer, TS serves as a
> simple traffic filter firewall.
>
> By removing TS completely, we can integrate firewall & vpn better and the
> policy enforcer is as good as your firewall. For people without firewall
> solution, adding traffic filter should be no big deal.
>
> my 2 cents,
> -Rajesh M
>
>
>
>
>
>
>
> > While this is completely irrelevant for centrally-provisioned VPN's,
> > it's extremely important for opportunistic use of IPsec between
> > systems under heterogenous administration.
> >
> > I'd rather not see IPsec limited to VPN's, and as such strongly
> > support the continued presence of traffic selectors in the protocol.
> >
> > - Bill
> > (a solaris ipsec implementor)
> >
> >
> >
> >
> >
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847