[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: typical IPsec-based VPNs incl. modecfg vs. DHCP

To: "Scott G. Kelly" <scott@airespace.com>
Subject: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
From: Derek Atkins <derek@ihtfp.com>
Date: 14 Feb 2003 12:13:37 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3E4D1BCB.FFFC4E1D@airespace.com>
References: <89680B404BA1DD419E6D93B28B41899BE9FC88@01mail.nomadix.com><3E483959.5D2D8DF1@airespace.com><p05100316ba71c5aeec31@[128.89.88.34]><3E4C1C33.7FD7F995@airespace.com> <sjmznozilra.fsf@kikki.mit.edu><3E4D1BCB.FFFC4E1D@airespace.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

"Scott G. Kelly" <scott@airespace.com> writes:

> > > In such cases, no SPD entries are consulted following the routing
> > > lookup, and the routing table (effectively) becomes the SAD/SPD. I think
> > > this has obvious issues in terms of satisfying the selector criteria you
> > > outlined in RFC2401, for the reasons I enumerated above.
> > 
> > This works fine for output processing, but not necessarily for input
> > processing.
> 
> I guess I don't understand what you mean. I don't think it works
> according to what is specified in RFC2401, as (1) you cannot control the
> SPD ordering due to the fact that route selection is best match (unless
> your SPD happens to be ordered from most specific to least specific),
> and (2) you cannot select traffic based on protocols/ports. So, it
> doesn't really work right (where "right" means "in accordance with
> RFC2401") for either egress or ingress, does it?

Well, you can..  The point that was being made was that you'd have a
SPD "per route".  So, after you choose the route you're going to take
you lookup the SPD and choose the SA to use (if any).  The traffic could
be dropped at this point, too.

My only point was that on input you don't necessarily have the "input
routing" information, so you may not know which virtual route was
used, so searching input SPDs are much more difficult.

> Scott

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

References:
- RE: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: BSingh@Nomadix.com
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: "Scott G. Kelly" <scott@airespace.com>
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: Stephen Kent <kent@bbn.com>
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: "Scott G. Kelly" <scott@airespace.com>
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: Derek Atkins <derek@ihtfp.com>
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: Re: IKEV2: Issue #4 Revised Identity
Next by Date: Re: IKEV2: Issue #3: DHCP vs. Configuration Payload
Prev by thread: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Next by thread: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Index(es):
- Date
- Thread