[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec issue #46 -- No need for nested SAs or SA bundles
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes:
Markku> Just a note: my implementation can do nested SA's, assuming you
Markku> mean situation where you have an internal node "Another" that
Markku> wants IPSEC, but which happens to be behind a security gateway SG:
Markku> SA1
Markku> MyNode <---------------> SG
Markku> <----------------------------------------> Another
Markku> SA2
Let me extend this a bit, to make sure we are talking about the same thing.
SPD:
SRCIP DESTIP gateway
SA1 MyNode/32 Another/32 SG
SA2 MyNode/32 Another/32 Another
FreeS/WAN current can *NOT* handle this. I consider this a serious bug,
which I unfortunately, do not have a mandate to fix at this time.
I believe that this facility needs to remain in the specification. In
particular, when "MyNode" decapsulates, it has to be very careful to avoid
loosing any priviledges that SA1 or SA2 might have conveyed, while still
protecting things properly.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
iQCVAwUBP1Ubr4qHRg3pndX9AQGLHQQAoxssKgYDj88AimxNbSU9jZGULpv8OjLP
r8Iyx0klU9SmG2YiEC3aMXZEl5Enu3gXTETPPUy9tPC5n7jbsEqSR5L2BEQFyWdq
PT1v8MjIDlVlZ5NHnQiKZRzcj7hgvJEBNKfdznkeavVov1yM259Vgjz8af416FKy
AtiZP3LXaso=
=hmzS
-----END PGP SIGNATURE-----