[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Specification of tunnel/transport attribute in IKEv2
On Fri, 24 May 2002, Markku Savela wrote:
> > From: Jan Vilhuber <vilhuber@cisco.com>
> >
> > Sure sounds like an administrative nightmare (as well as wasted
> > bandwidth) to me, when we could simply do it via negotiation in an
> > automated fashion.
>
> I assume you must be referring to the policy maintenance, because
> there is nothing "administrative" in my proposed "policy mismatch
> notification".
>
> As to policy, you *cannot* negotiate it automaticly.
Maybe, but in the interest of maintaining a properly functioning
network and being able to troubleshoot it (and interoperate between
vendors), this negotiation is somewhat important (critical in my
mind).
Yea... we COULD configure everything manually. Good luck.
jan
> What use is a policy
> which can be automaticly modified by at will?
>
> If I have a policy
>
> - allow HTTP traffic to my WEB server using IPSEC
> - drop other
>
> Surely you don't want anyone "negotiating" this into
>
> - allow HTTP traffic to my WEB server using IPSEC
> - allow ANY with NUL ESP
> - drop other
>
> So, I assume when you are talking about "negotiating policy", it is
> something which I don't consider as a part of policy? As I have said
> earlier, I have no problem allowing choices in SA algorithm. If
> desired, the policy just lists the allowed alternatives and IKE can
> pick one which is common. (If you are using PFKEY, then just look at
> ACQUIRE message: it has list of alternatives).
>
>
>
> .
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
http://www.eff.org/cafe