[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-sctp-06.txt
Paul,
No, it appears your reading of this is correct. I hope this is a bug
(or an oversight). I agree with you that a road warrior probably has
a different inner IP address than external IP Address. The main
difference between a road warrior and a security gateway is that the
road warrior generally has an inner network of an IPv4/32 or an
IPv6/128.
I agree this text should be fixed.
-derek
"Paul Knight" <paul.knight@nortelnetworks.com> writes:
> Hi Steve and all,
>
> The draft (in the end of Section 2, below) appears to propose a new
> requirement that remote access tunnel mode IPsec users MUST use an inner IP
> address equivalent to their outer address (or else it reclassifies such
> users as "security gateways"). This seems to directly contradict all the
> work with DHCP over IKE and the entire Configuration Payload discussion, all
> of which is based on assigning an inner tunnel address which can be a part
> of a VPN address domain (i.e., different from the outer address).
>
> Am I missing something (besides my second cup of coffee)?
>
> Regards,
> Paul Knight
>
> >From Section 2:
> When operating in tunnel mode, the question of what to use as the
> tunnel destination address (for the "outer" header) arises. We
> distinguish three cases: where the end hosts are also the tunnel
> endpoints; where neither host is a tunnel endpoint (the tunnel
> endpoints are security gateways); and where only one of the hosts is
> a tunnel endpoint (the usual case for the "road warrior" talking to
> a security gateway). In the first case, the outer addresses MUST be
> the same as the inner addresses of the tunnel. In the second case
> (security gateways) there is no special processing; address
> selection proceeds as it would for two distinct sets of end hosts.
> In the third case, the "road warrior" uses the security gateway's
> address as the tunnel destination address, and MUST use the same
> source address as that of the inner packet. Symmetrically, the
> security gateway uses its own address as the source address of the
> tunnel, and MUST use the the same destination address in the outer
> header as that of the inner packet. An implementation will probably
> structure the code so that if, during SA setup, the inner and outer
> address of either side is the same, rather than explicitly store the
> corresponding address of the tunnel, it sets a flag that marks the SA
> to use the same address in the tunnel header as in the inner header.
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com