[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: typical IPsec-based VPNs incl. modecfg vs. DHCP

To: BSingh@Nomadix.com
Subject: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
From: "Scott G. Kelly" <scott@airespace.com>
Date: Mon, 10 Feb 2003 15:44:25 -0800
CC: Francis.Dupont@enst-bretagne.fr, ipsec@lists.tislabs.com
Organization: airespace
References: <89680B404BA1DD419E6D93B28B41899BE9FC88@01mail.nomadix.com>
Sender: owner-ipsec@lists.tislabs.com

BSingh@Nomadix.com wrote:
<trimmed...> 
> But I guess this is not what RFC2401 says and it leaves it open for various
> implementations to have different SPD methodology.. Can you update me on
> what other ways SPD entries are looked up for tunnel selection.. I am more
> interested in the source address or some source parameter being included as
> the criteria for tunnel selection or an SPD interface that lets me make
> policies based on the source of the packets.. Is it possible? If you can
> guide me there I would really appreciate it..

I think RFC2401 is quite explicit about what selectors are used in SPD
lookups. Based on this, the virtual interface approach suffers from (at
least) two problems: first, routing lookups are most specific to least
specific (i.e. "best match"), meaning the administrator may not be able
to strictly control the ordering of SPD elements. Secondly, it does not
support protocol and/or ports as selectors.

Scott

Follow-Ups:
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: Stephen Kent <kent@bbn.com>

References:
- RE: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: BSingh@Nomadix.com

Prev by Date: Re: Modefg considered harmful
Next by Date: RE: typical IPsec-based VPNs incl. modecfg vs. DHCP
Prev by thread: RE: typical IPsec-based VPNs incl. modecfg vs. DHCP
Next by thread: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Index(es):
- Date
- Thread