[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Don't remove TS from IKEv2



Derek Atkins <warlord@MIT.EDU> wrote:
> The issue here is that you don't want to create an SA that will
> end in a black hole.  If you create an "opportunistic" SA with
> someone you've never heard of before, you need to know what your
> peer will accept over the SA.  If your peer will only accept,
> e.g. packets to tcp/80, then you know you shouldn't send anything
> else.  This keeps you from creating a black hole.

I see, but I don't see that this is useful.  If it's my intention to
negotiate a tunnel with you and then send through it packets that you
won't accept, there is no reason to treat that differently than if I
just sent the unacceptable packets to you outside of the tunnel.  Drop
the packets or send an ICMP error.

In addition to believing that the feature is not useful, I also
believe that it is not possible to do in general.  Either alone is
reason enough to drop it; I think both together clinch it.  :-)

					-=] Mike [=-