[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Move TS to optional (RE: Don't remove TS from IKEv2)




It's only effective for simpler case.  how do you define a FTP-ONLY TS?  The
list can drag on and on for DNS, AOL, and any new services/protocols.  I
would say to put it as optional will have the advantage you say and simplify
the protocol. I think I need to change the subject to "move TS as optional"
now.

Another advantage is, especially in heterogenous admin case, one admin can
just change his own incoming security policy without waiting another admin's
approval.
If you want to block out your extranet to access your accounting server, you
can just block the access, without shuting down the whole tunnel, or wait
your peer to change it.

Michael Shieh

> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> Sent: Wednesday, March 20, 2002 11:50 AM
> To: Rajesh Mohan
> Cc: sommerfeld@east.sun.com; IP Security List
> Subject: Re: Don't remove TS from IKEv2
> 
> 
> Bill's point, I think, is that in the absence of a well-defined and
> widely deployed policy distribution protocol, the TS payloads provide
> a simple and effective way of making sure that your traffic will in
> fact be accepted by the peer. Otherwise, your chances of creating
> black-hole tunnels increases dramatically.
> 
> I'm for keeping TS payloads.
> 
> jan
> 
> 
> On Wed, 20 Mar 2002, Rajesh Mohan wrote:
> 
> > > The purpose of traffic selectors is *not* to modify the SPD, but
> > > rather to allow policy compatibility (or lack thereof) to be
> > > discovered sooner rather than later.
> > >
> > 
> > We cannot really negotiate traffic selectors through IKE. 
> The only message
> > we will probably get is "NO PROPOSAL CHOSEN". At IPSec 
> layer, TS serves as a
> > simple traffic filter firewall.
> > 
> > By removing TS completely, we can integrate firewall & vpn 
> better and the
> > policy enforcer is as good as your firewall. For people 
> without firewall
> > solution, adding traffic filter should be no big deal.
> > 
> > my 2 cents,
> > -Rajesh M
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > > While this is completely irrelevant for 
> centrally-provisioned VPN's,
> > > it's extremely important for opportunistic use of IPsec between
> > > systems under heterogenous administration.
> > >
> > > I'd rather not see IPsec limited to VPN's, and as such strongly
> > > support the continued presence of traffic selectors in 
> the protocol.
> > >
> > > - Bill
> > > (a solaris ipsec implementor)
> > >
> > >
> > >
> > >
> > >
> > 
> 
>  --
> Jan Vilhuber                                            
> vilhuber@cisco.com
> Cisco Systems, San Jose                                     
> (408) 527-0847
>