[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-sctp-06.txt



Paul,

No, it appears your reading of this is correct.  I hope this is a bug
(or an oversight).  I agree with you that a road warrior probably has
a different inner IP address than external IP Address.  The main
difference between a road warrior and a security gateway is that the
road warrior generally has an inner network of an IPv4/32 or an
IPv6/128.

I agree this text should be fixed.

-derek

"Paul Knight" <paul.knight@nortelnetworks.com> writes:

> Hi Steve and all, 
> 
> The draft (in the end of Section 2, below) appears to propose a new
> requirement that remote access tunnel mode IPsec users MUST use an inner IP
> address equivalent to their outer address (or else it reclassifies such
> users as "security gateways").  This seems to directly contradict all the
> work with DHCP over IKE and the entire Configuration Payload discussion, all
> of which is based on assigning an inner tunnel address which can be a part
> of a VPN address domain (i.e., different from the outer address).
> 
> Am I missing something (besides my second cup of coffee)?
> 
> Regards,
> Paul Knight
> 
> >From Section 2:
>    When operating in tunnel mode, the question of what to use as the
>    tunnel destination address (for the "outer" header) arises.  We
>    distinguish three cases: where the end hosts are also the tunnel
>    endpoints; where neither host is a tunnel endpoint (the tunnel
>    endpoints are security gateways); and where only one of the hosts is
>    a tunnel endpoint (the usual case for the "road warrior" talking to
>    a security gateway).  In the first case, the outer addresses MUST be
>    the same as the inner addresses of the tunnel.  In the second case
>    (security gateways) there is no special processing; address
>    selection proceeds as it would for two distinct sets of end hosts.
>    In the third case, the "road warrior" uses the security gateway's
>    address as the tunnel destination address, and MUST use the same
>    source address as that of the inner packet.  Symmetrically, the
>    security gateway uses its own address as the source address of the
>    tunnel, and MUST use the the same destination address in the outer
>    header as that of the inner packet.  An implementation will probably
>    structure the code so that if, during SA setup, the inner and outer
>    address of either side is the same, rather than explicitly store the
>    corresponding address of the tunnel, it sets a flag that marks the SA
>    to use the same address in the tunnel header as in the inner header.

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com