[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Don't remove TS from IKEv2

To: Michael Choung Shieh <mshieh@netscreen.com>
Subject: Re: Don't remove TS from IKEv2
From: Dan Harkins <dharkins@tibernian.com>
Date: Thu, 21 Mar 2002 03:14:18 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Wed, 20 Mar 2002 19:41:38 PST." <9D048F4A422CD411A56500B0D0209C5B028F3DB8@NS-CA>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 20 Mar 2002 19:41:38 PST you wrote
> 
> TS does detect mis-config for simple scanario.  However, it falls short on
> more complex cases:
> 
> 1. FTP, DNS, H323.  (btw, can someone show me what the correct TS should be
> for FTP and H323?  I still don't know how to do it correctly even for FTP)
> 2. dynamic routing.
> 3. NAT from several pools (or determined by routing)
> 4. change inbound local security policy without shuting down whole tunnel or
> wait for peer's approval.

Whatever was in the your SPD that matched the packet that caused the 
negotiation to happen in the first place. That should be what your TS
payloads represent.

> These are all customer request features.  right now I can only put 0 in
> proxy_id (and future TS) and screw up my tunnel.

I'm assuming you are able to populate your SPD correctly (since this 
discussion is not to change the representation of selectors). If your SPD
can somehow be properly configured to allow NAT from different pools or
H.323 to be IPsec protected it should not be too difficult to do this
either. Whatever got sent up with the "acquire" (a PF_KEY term but you
should have a symantically equivalent function) is what you use.

  Dan.

References:
- RE: Don't remove TS from IKEv2
  - From: Michael Choung Shieh <mshieh@netscreen.com>

Prev by Date: divergent interpretations of IKE/IPsec - interop issues
Next by Date: Re: pre-shared key v RSA encryption or RSA signature authentication modes
Prev by thread: RE: Don't remove TS from IKEv2
Next by thread: Re: Don't remove TS from IKEv2
Index(es):
- Date
- Thread