[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Is TS agreement necessary?

To: "Scott G. Kelly" <skelly@SonicWALL.com>
Subject: RE: Is TS agreement necessary?
From: "Rajesh Mohan" <Rajesh.Mohan@nexsi.com>
Date: Wed, 3 Apr 2002 13:50:34 -0800
Cc: "Mike Ditto" <ford@incog.com>, <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcHbSiOl78hAh9zpS3aqYp8KbJUpdAAAS8zg
Thread-Topic: Is TS agreement necessary?



> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@sonicwall.com]
> Sent: Wednesday, April 03, 2002 11:56 AM
> To: Rajesh Mohan
> Cc: Mike Ditto; ipsec@lists.tislabs.com
> Subject: Re: Is TS agreement necessary?
> 
> 
> Hi Rajesh,
> 
> Rajesh Mohan wrote:
> <trimmed...>
> 
> > > Suppose, as you suggest, that we allowed negotiation of 
> multiple SAs
> > > between two peers without specifying TS values. 
> Ultimately, there must
> > > be *some* policy rule associated with each of these SAs 
> since, as you
> > > suggest, the point is to somehow segregate traffic 
> between them. That
> > > is, for a given SA, some traffic is allowed, and some is 
> not. Please
> > > elaborate upon how we determine which traffic is appropriate
> > > for each SA
> > > once they are established.
> > 
> > In my case, on the sender side, I would decide on a tunnel 
> based on VLAN ID
> > or the port from which the packet was received. The 
> selectors in IPSec makes
> > it less flexible for applications like these.
> 
> A VLAN ID is typically a layer-2 construct, which may explain 
> why it is
> difficult to use it as a selector for layer-3 security mechanism.
> Assuming this ID is not contained in the IP packet which traverses the
> tunnel, the remote gateway has no way to verify that such a packet
> matches his local policy. Do you think this is not important?
> 




I am sure it is important in most cases. But in cases where you trust the peer, (like between branch offices), it should be good enough if the packet is authenticated. Am I compromising security here?





> > > As an aside, can you tell us why wildcard TS values do not
> > > satisfy your
> > > requirements in the same way that omitting TS values would?
> > >
> > 
> > 0.0.0.0/0 is used to mean "allow tunnel traffic only". 
> Something like
> > "allow all traffic from tunnel" will be useful. A tunnel 
> without selectors
> > can be used for that.
> 
> Maybe I'm misunderstanding. What is the distinction between these two
> cases? I would interpret the 0.0.0.0/0 selector to mean 
> "permit any/all
> traffic in this tunnel". By "allow all traffic from tunnel", 
> do you mean
> to imply that you'd like to reference a particular tunnel in 
> some other
> policy rule?
> 

Maybe it a implementation issue. Excuse me if I misinterpreted the RFC completely. When a packet comes through a tunnel, then there is no issue with 0.0.0.0/0. However, for a packet coming in clear, we will first check if it is part of some VPN. If it is, then we have to drop the packet. If I have 0.0.0.0/0 for this tunnel, then all traffic will match it which means we will not allow clear traffic at all.


Thanks
-Rajesh M














> Thanks,
> 
> Scott
>

Prev by Date: RE: Dead peer detection
Next by Date: Re: Is TS agreement necessary?
Prev by thread: Re: Is TS agreement necessary?
Next by thread: RE: Is TS agreement necessary?
Index(es):
- Date
- Thread