Re: Is TS agreement necessary?

["Scott G. Kelly" <skelly@SonicWALL.com>]

Hi Rajesh,

Rajesh Mohan wrote:
<trimmed...>

> > Suppose, as you suggest, that we allowed negotiation of multiple SAs
> > between two peers without specifying TS values. Ultimately, there must
> > be *some* policy rule associated with each of these SAs since, as you
> > suggest, the point is to somehow segregate traffic between them. That
> > is, for a given SA, some traffic is allowed, and some is not. Please
> > elaborate upon how we determine which traffic is appropriate
> > for each SA
> > once they are established.
> 
> In my case, on the sender side, I would decide on a tunnel based on VLAN ID
> or the port from which the packet was received. The selectors in IPSec makes
> it less flexible for applications like these.

A VLAN ID is typically a layer-2 construct, which may explain why it is
difficult to use it as a selector for layer-3 security mechanism.
Assuming this ID is not contained in the IP packet which traverses the
tunnel, the remote gateway has no way to verify that such a packet
matches his local policy. Do you think this is not important?

> > As an aside, can you tell us why wildcard TS values do not
> > satisfy your
> > requirements in the same way that omitting TS values would?
> >
> 
> 0.0.0.0/0 is used to mean "allow tunnel traffic only". Something like
> "allow all traffic from tunnel" will be useful. A tunnel without selectors
> can be used for that.

Maybe I'm misunderstanding. What is the distinction between these two
cases? I would interpret the 0.0.0.0/0 selector to mean "permit any/all
traffic in this tunnel". By "allow all traffic from tunnel", do you mean
to imply that you'd like to reference a particular tunnel in some other
policy rule?

Thanks,

Scott