[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: opportunistic (was RE: Don't remove TS from IKEv2)

To: Michael Choung Shieh <mshieh@netscreen.com>
Subject: RE: opportunistic (was RE: Don't remove TS from IKEv2)
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 25 Mar 2002 22:20:29 -0500 (EST)
cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <9D048F4A422CD411A56500B0D0209C5B028F3DD9@NS-CA>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 25 Mar 2002, Michael Choung Shieh wrote:
> > > It also has blackhole problem
> > > when data traffic is initiated from server side.
> > Why?  Please explain.  The protocol is symmetrical...
> 
> If initiator's policy is <any> from/to <10.0.0.0/24>  and responder's policy
> is <any> from/to <10.0.0.0/16>.  IKE will succeed...

Uh, no it won't, because of the much-despised traffic selectors (or rather
their IKEv1 equivalents).  OE negotiates a tunnel for the exact hosts that
will be communicating, so no mismatch is possible, assuming that both ends
are actually checking to make sure that what's requested is allowed.

Oh, and in the absence of special arrangements, OE doesn't work for
private addresses, since they won't have public DNS entries.  OE is not,
repeat *not*, repeat *NOT*, just another way to do VPNs.  It's for public
networks, not private networks.  IPsec is not just VPNs. 

                                                          Henry Spencer
                                                       henry@spsystems.net

References:
- RE: opportunistic (was RE: Don't remove TS from IKEv2)
  - From: Michael Choung Shieh <mshieh@netscreen.com>

Prev by Date: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by Date: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Prev by thread: RE: opportunistic (was RE: Don't remove TS from IKEv2)
Next by thread: =?gb2312?B?aXBzZWMgcnVubmluZyBidXQgcGx1dG8gJiBLTElQUyBub3QgcnVubmluZw==?=
Index(es):
- Date
- Thread