[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on inbound IPSEC policy check

To: Jyothi <vjyothi@intotoinc.com>
Subject: Re: Question on inbound IPSEC policy check
From: Stephen Kent <kent@bbn.com>
Date: Fri, 25 Apr 2003 14:13:59 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <5.1.0.14.0.20030423130203.00a43540@172.16.1.10>
References: <5.1.0.14.0.20030423130203.00a43540@172.16.1.10>
Sender: owner-ipsec@lists.tislabs.com

At 1:03 PM +0530 4/23/03, Jyothi wrote:
>Hi all,
>
>I have a question regarding the inbound SPD policy checking.
>
>Please consider the following scenario:
>
>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>
>Office1Network has HTTP as well as other services hosted.
>Office1 administartor wants to make sure that all HTTP traffic has to go with
>3DES and SHA1
>
>And all other traffic can go with AH MD5 and no encyrption is required for
>performance reasons.
>
>In this case, if office2Network SG is mis-configured or they did not even
>configure HTTP policy.
>
>Then SG1 accepts the HTTP traffic and process it.
>After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE 
>PACKETS, because higher priority SPD policy is created for the HTTP 
>traffic.
>
>Any advice on this would be greatly appreciated
>
>
>Thanks in advance,
>Jyothi

Yes, the exit check at  SG1 should reject traffic that has either 
source or dest port = 80, consistent with the policy you articulated 
above.

Follow-Ups:
- Re: Question on inbound IPSEC policy check
  - From: Jyothi <vjyothi@intotoinc.com>

References:
- Question on inbound IPSEC policy check
  - From: Jyothi <vjyothi@intotoinc.com>

Prev by Date: Re: IANA administrative issues with draft-ietf-ipsec-doi-tc-mib-07.txt
Next by Date: IKEV2 - INVALID_KE_PAYLOAD not defined
Prev by thread: Re: Question on inbound IPSEC policy check
Next by thread: Re: Question on inbound IPSEC policy check
Index(es):
- Date
- Thread