[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Move TS to optional (RE: Don't remove TS from IKEv2)

To: ford@incog.com
Subject: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
From: Paul Koning <pkoning@equallogic.com>
Date: Tue, 2 Apr 2002 17:51:56 -0500
Cc: ipsec@lists.tislabs.com
References: <200204020627.g326QoC03815@fatty.lounge.org><200204022004.MAA09425@potomac.incog.com>
Sender: owner-ipsec@lists.tislabs.com

Excerpt of message (sent 2 April 2002) by Mike Ditto:
> Dan Harkins <dharkins@tibernian.com> wrote:
>  > All I'm saying is that if a certain set of selectors manually configured on
>  > one end corresponds to whatever it is you manually do on your end then there
>  > is a mapping between a set of IPsec selectors, and therefore an equivalent
>  > set of TS payloads, and whatever your configuration looks like.
> 
> But the two ends' configurations DON'T correspond to each other.  Each
> end has a policy that describes a superset of the traffic that will
> actually be sent.  Probably both ends have defined a policy that uses
> the smallest superset that their respective policy notations allow. 

That's not enough.

Implementing a policy, in the case of IPsec at least, means (a)
accepting traffic that matches the rule, and also (b) rejecting ALL
traffic that does not match the rule.

So "a superset" is not a valid substitute for an exact match.

      paul

References:
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Dan Harkins <dharkins@tibernian.com>
- Re: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: Mike Ditto <ford@incog.com>

Prev by Date: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by Date: questions on draft-touch-ipsec-vpn
Prev by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by thread: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Index(es):
- Date
- Thread