[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Move TS to optional (RE: Don't remove TS from IKEv2)

To: Mike Ditto <ford@incog.com>
Subject: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
From: Dan Harkins <dharkins@tibernian.com>
Date: Mon, 01 Apr 2002 22:26:50 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Mon, 01 Apr 2002 18:11:02 PST." <200204020211.SAA09117@potomac.incog.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 01 Apr 2002 18:11:02 PST you wrote
> Dan Harkins <dharkins@tibernian.com> wrote:
> > >                        and would work with IKE if IKE didn't require the
> > > ends to describe in advance what traffic each SA would carry.
> > 
> > Manually keyed SAs require you to describe the traffic for each SA in
> > advance too!
> 
> No, there are two differences.  Manual keying doesn't require each end
> to know what the other end's policy is, and manual keying doesn't
> require sending a traffic description on the wire.  I can phone you up
> and say "Let's set up our gateways to let us talk Telnet on ESP SPI 17
> and HTTP on ESP SPI 42."  You configure your implementation your way,
> I configure mine my way, and we communicate.  You might actually
> configure your end to allow FTP and traceroute as well, and my end
> will never know or care (but it will reject those packets if you ever
> send them).  

Notice how I didn't say that manual keying requires each end to know what
the other end's policy is, nor did I say that it requires sending a traffic
description on the wire. I said it requires you to describe the traffic
for each SA in advance. And your example of a telephone call (in which the
traffic is described) prior to the sending of traffic proves this. Please
go back and reread what was written.

All I'm saying is that if a certain set of selectors manually configured on
one end corresponds to whatever it is you manually do on your end then there 
is a mapping between a set of IPsec selectors, and therefore an equivalent
set of TS payloads, and whatever your configuration looks like. So it should
be very straightforward for you to write some code to do that mapping
dynamically.

>               I don't need IPsec selectors on my end, and you're free
> to use them on your end.

I am not trying to force you to be IPsec-compliant. Only pointing out that
if you can truely interoperate with an IPsec-compliant device using
manual keying (as you maintain) then it should be easy to write code to
interoperate using IKE and TS payloads. Therefore the only problem you have
is that you don't want to (or cannot) write the code necessary to do that.
But that is not a problem that can or should be solved by this working group.

  Dan.

Follow-Ups:
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Mike Ditto <ford@incog.com>

References:
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Mike Ditto <ford@incog.com>

Prev by Date: Re: [ Problems setting up CA server ]
Next by Date: RE: Suggestion for SOI wrt PFS
Prev by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Index(es):
- Date
- Thread