[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD issues
At 13:53 -0700 10/21/03, Joe Touch wrote:
>Stephen Kent wrote:
>
>>Folks
>>
>>There may be some misunderstanding about what holes an SPD
>>selection function creates.
>
>
>...
>>The only way to be really confident about the security services
>>being provided for traffic is to have just one SPD, or to make sure
>>that the multiple SPDs are not overlapping in terms of the
>>destination addresses (for outbound traffic), or that the security
>>services offered in any overlapping entries are equivalent.
>
>Steve,
>
>Is it possible that this paragraph ("The only way...") should be
>added as the caveat? I.e., the concern I had was that SPD indexing
>could be an open loophole; this closes it sufficiently.
>
>Feel free to forward this suggestion to the list if you feel it
>would be useful.
>
>Joe
Joe,
Good point. I think it is fair to warn folks about the need to pay
very close attention to config mgmt issues when multiple SPDs are
employed. A reference to Peter's paper might also be relevant.
Steve