[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
Stephen Kent writes:
> At 11:32 AM -0800 11/15/02, Michael Thomas wrote:
> >The second is the classification/filtering
> >operation after the packet is integrity checked.
> >This is just the normal 5-tuple filtering which
> >may or may not pay attention to the source address
> >(ie, it could be wildcarded).
>
> in principle the SPD entry for this SA might wild card the source
> address, but in practice we create pairs of SAs and the IP address
> for outbound traffic in the matching SA must be constrained in some
> fashion, typically by specifying a single IP address or address range
> (or mask), to ensure that all traffic destined to a host or set of
> hosts is mapped to an SA that terminates at an IPsec implementation
> serving that host or set of hosts.
This is clearly a trade off. Your network security, is my
mobile hositility :)
Mike