[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 5.3 SPD entries



Theodore Ts'o wrote:
> 
> Please discuss and answer the following question:
> 
> 5.3 SPD entries
> 
> 5.3.A) Is it important in SOI to allow the the responder to accept a subset
> of the proposed SA, or should it be an all or nothing acceptance?
> 
> 5.3.B) Should the SOI offer multiple selectors with specific ports and
> addresses, or a single selector with a range of ports and range of
> addresses?  (complicated boolean complexity!)
> 
> Implications from the scenarios:
> 
> <<<In the case of a pair of SGWs fronting multiple non-contiguous
> subnets, a mechanism that allowed the negotiation of a list of phase 2
> identities will help to alleviate the number of IPsec tunnels that must
> be created.>>> [[[5.3]]]

It would be good to be able to configure a VPN client to be able
to connect to
     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
and let the gateway figure out which of the network(s) is actually
behind it, and return that subset in the return message. This would
remove the need to pre-configure that information in the client.
I know some vendors use config mode to convey that information from
the gateway to the client, but that's not too nice a strategy for SOI.
If the SA selectors must match correctly from the start, something
config mode looking is likely to emerge.

Ari

-- 

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise