[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Don't remove TS from IKEv2
Derek Atkins <warlord@MIT.EDU> wrote:
> The issue here is that you don't want to create an SA that will
> end in a black hole. If you create an "opportunistic" SA with
> someone you've never heard of before, you need to know what your
> peer will accept over the SA. If your peer will only accept,
> e.g. packets to tcp/80, then you know you shouldn't send anything
> else. This keeps you from creating a black hole.
I see, but I don't see that this is useful. If it's my intention to
negotiate a tunnel with you and then send through it packets that you
won't accept, there is no reason to treat that differently than if I
just sent the unacceptable packets to you outside of the tunnel. Drop
the packets or send an ICMP error.
In addition to believing that the feature is not useful, I also
believe that it is not possible to do in general. Either alone is
reason enough to drop it; I think both together clinch it. :-)
-=] Mike [=-