[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: divergent interpretations of IKE/IPsec - interop issues




>   IKEv1 is not a policy negotiation protocol. This is bad, but it is.
>   BUT, in a BCP, we document WHAT IS, not what we'd like.  
>   Please do NOT muddy the waters by mixing threads.

I'm only trying to get people to realize the following fact:

(1) If you implement RFC-2401, then

(2) there is no need for any policy checks in key negotiation, it can
    accept any proposed SA, if it can do the proposed algorithms and the
    protocol (AH, ESP or IPCOMP).

Above takes care of the security. What remains, is just to find
solutions to real world error situations, for example mismatched
policies.

For detecting blackhole (mismatched) I already outlined a solution,
that does not need key management to know about policies, and which
covers all cases, instead of just those that can be detected at key
negotiation (e.g. sending packets over correctly negotiated, but wrong
SA).

Obviously, there appears to be some confusion about what "policy"
actually is. The way I understand policy, there is no way IKE should
be able to change it.

If I specify in policy that packets MUST be protected by ESP using
3DES and SHA1 or MD5, then that's it. No way I would allow other end
change those, like changing 3DES to DES! If I wanted that, I would say
so in my policy like "use 3DES or DES and SHA1 or MD5". The IKE can
then pick/negotiate the combination for the SA (I do not consider that
part as "negotiating policy").