[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Specification of tunnel/transport attribute in IKEv2

To: ipsec@lists.tislabs.com
Subject: Re: Specification of tunnel/transport attribute in IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 23 May 2002 07:16:59 -0700
In-Reply-To: <200205230724.KAA04639@burp.tkv.asdf.org>
References: <200205221623.g4MGN8k09697@trpz.com><200205230724.KAA04639@burp.tkv.asdf.org>
Sender: owner-ipsec@lists.tislabs.com

At 10:24 AM +0300 5/23/02, Markku Savela wrote:
>This is supposed to be technical discussion and I consider a
>non-policy checking IKE technically a better solution to the problem.

Note, however, that Dan has pointed out with very clear examples why 
simply moving "policy" from IKE to 2401 will lead to lack of 
interoperability in implementations. It seems like your proposed new 
view of 2401 will either:

- need some policy negotiation outside of IKE before packets start to flow

- need some policy announcement when bad packets are received 
("you're sending me packets that I have no intention of passing to 
the inside network")

- cause black holes that cannot be detected

Could you say briefly which of the above you are proposing? If it one 
of the first two, which protocol are you saying would be used?

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: Specification of tunnel/transport attribute in IKEv2
  - From: Markku Savela <msa@burp.tkv.asdf.org>

References:
- Re: Specification of tunnel/transport attribute in IKEv2
  - From: Dan Harkins <dharkins@tibernian.com>
- Re: Specification of tunnel/transport attribute in IKEv2
  - From: Markku Savela <msa@burp.tkv.asdf.org>

Prev by Date: Re: Specification of tunnel/transport attribute in IKEv2
Next by Date: RE: ike-modp-groups-04
Prev by thread: Re: Specification of tunnel/transport attribute in IKEv2
Next by thread: Re: Specification of tunnel/transport attribute in IKEv2
Index(es):
- Date
- Thread