[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2



Stephen Kent writes:
 > At 11:32 AM -0800 11/15/02, Michael Thomas wrote:
 > >The second is the classification/filtering
 > >operation after the packet is integrity checked.
 > >This is just the normal 5-tuple filtering which
 > >may or may not pay attention to the source address
 > >(ie, it could be wildcarded).
 > 
 > in principle the SPD entry for this SA might wild card the source 
 > address, but in practice we create pairs of SAs and the IP address 
 > for outbound traffic in the matching SA must be constrained in some 
 > fashion, typically by specifying a single IP address or address range 
 > (or mask), to ensure that all traffic destined to a host or set of 
 > hosts is mapped to an SA that terminates at an IPsec implementation 
 > serving that host or set of hosts.

This is clearly a trade off. Your network security, is my
mobile hositility :)

		  Mike