[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is TS agreement necessary?

To: Stephen Kent <kent@bbn.com>
Subject: Re: Is TS agreement necessary?
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Fri, 5 Apr 2002 16:35:13 -0800 (PST)
cc: kalyan@juniper.net, ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <p0510032eb8d3ed492608@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 5 Apr 2002, Stephen Kent wrote:

> At 3:56 PM -0800 4/5/02, Kalyan Bade wrote:
> 	<SNIP>
>
> >
> >  >
> >>  RFC 2401 is reasonably clear in noting that the SPD is nominally per
> >>  interface. What sort of management interface is provided to a client
> >>  is up to the vendor, so long as one can achieve the same effects as a
> >>  per-interface SPD.  Otherwise, the implementation would not be
> >>  compliant.
> >
> >Well, the point is whether TS agreement is necessary ? IPsec doesn't
> >really need to know about the phase2 selectors as the routing protocols
> >decide what selectors are allowed on a particular IPsec tunnel. It is
> >decided dynamically depending on the topology and I would say we should
> >be able to do an IKE negotiation without any TS.
> >
> >Thanks,
> >Kalyan.
>
> IPsec is implemented in end systems, BITW devices, and security
> gateways. I'm not convinced that your comment above applies to all of
> these cases. For example, which routing protocols running in my host
> are you referring to?
>
> The question of the need to exchange TS values in IKE is much broader
> than the narrow issue that this thread is now focusing on.
>
> Steve
>

Even in end systems, we can differentiate scenarios based on whether it is
doing transport mode, or a tunnel mode to a security gateway.

If the end host is doing tunnel mode to a security gateway, then how is
this scenario different from a Mobile Node having a tunnel to a Home
Agent? Even though end-hosts don't run routing protocols, they do routing,
most of the time static routing, and with out even static routing
capabilities, the end-hosts are not very useful if you want to do IP
features like Mobile-IP and IPsec. The mobile node software running on the
end host setup the right static routes in the routing table for example if
it decides to send all traffic back to the Home Agent or if it wants to
just forward the traffic to the corresponding node to the Foriegn agent.

Anyway my point is that end hosts can do routing, even if they don't run
routing protocols. They don't have to do routing, and as far as I can see,
neither do they have to do TS negotiation, if there is a general agreement
as to what doing no TS negotiation means.

    chinna

chinna narasimha reddy pellacuru
s/w engineer

References:
- Re: Is TS agreement necessary?
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: dynamic ports vs. rekeying
Next by Date: Re: Is TS agreement necessary?
Prev by thread: Re: Is TS agreement necessary?
Next by thread: Re: Is TS agreement necessary?
Index(es):
- Date
- Thread