[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2



At 4:29 PM -0800 11/19/02, Michael Thomas wrote:
>Stephen Kent writes:
>  > At 11:32 AM -0800 11/15/02, Michael Thomas wrote:
>  > >The second is the classification/filtering
>  > >operation after the packet is integrity checked.
>  > >This is just the normal 5-tuple filtering which
>  > >may or may not pay attention to the source address
>  > >(ie, it could be wildcarded).
>  >
>  > in principle the SPD entry for this SA might wild card the source
>  > address, but in practice we create pairs of SAs and the IP address
>  > for outbound traffic in the matching SA must be constrained in some
>  > fashion, typically by specifying a single IP address or address range
>  > (or mask), to ensure that all traffic destined to a host or set of
>  > hosts is mapped to an SA that terminates at an IPsec implementation
>  > serving that host or set of hosts.
>
>This is clearly a trade off. Your network security, is my
>mobile hositility :)
>
>		  Mike

I would not want to be portrayed as hostile to mobile users :-), but 
I do note that if one puts a wildcard source address for the source 
IP address in an SPD entry, then one enables the peer IPsec to 
masquerade as any possible source.  This falls into the category that 
yes, you could do this, but you may be sorry! This clearly requires 
an asymmetric SPD entry, since you do need to know the source address 
to select the right outbound SA.

Steve