[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: opportunistic (was RE: Don't remove TS from IKEv2)
comments inline.
> -----Original Message-----
> From: Henry Spencer [mailto:henry@spsystems.net]
> Sent: Monday, March 25, 2002 11:29 AM
> To: Michael Choung Shieh
> Cc: IP Security List
> Subject: opportunistic (was RE: Don't remove TS from IKEv2)
>
>
> On Mon, 25 Mar 2002, Michael Choung Shieh wrote:
> > It seems to me the model of "Opportunistic Encryption" is
> only applicable to
> > client-server, not peer-to-peer scenario.
>
> Why? Please explain. The words "client" and "server" do not
> appear in
> the spec, last I looked, and it certainly works peer-to-peer -- we're
> using it that way experimentally.
>
Ok. It's my misunderstanding.
> > It also has blackhole problem
> > when data traffic is initiated from server side.
>
> Why? Please explain. The protocol is symmetrical; there is
> no "client"
> or "server" distinction made.
>
If initiator's policy is <any> from/to <10.0.0.0/24> and responder's policy
is <any> from/to <10.0.0.0/16>. IKE will succeed but traffic from 10.0.1.1
(behind responder) will be dropped.
> > The other problem is, under client server scenario, usually
> server is
> > protecting more valuable information so it has stricter SPD
> than clients.
>
> How is this relevant? Opportunistic encryption is intended to protect
> communication that now goes out in cleartext; it is *not* just another
> kind of VPN. There is no particular trust relationship
> between the two ends,
I see. It's a different problem domain.
> and no reason why an incoming packet over an OE tunnel is trusted
> any more than a packet which arrives from the rest of the Internet.
> Information which is protected from general Internet access should be
> protected from access via OE tunnels too.
>
>
> Henry Spencer
>
> henry@spsystems.net
>