[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD Syntax Example

To: Stephen Kent <kent@bbn.com>
Subject: Re: SPD Syntax Example
From: Andrew Krywaniuk <ak_ipsec@yahoo.ca>
Date: Tue, 3 Feb 2004 05:53:29 -0500 (EST)
Cc: ipsec@lists.tislabs.com
In-reply-to: <p06020405bc3c22158e6e@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com


> We have differing views of what is open for debate
> now. what we are 
> doing is providing a more flexible capability re
> defining what 
> traffic is mapped to a given SA, something that was
> clearly agreed 
> upon when we decided, as a WG, to add the current
> set of traffic 
> selector negotiation features to IKE v2.

I'm not sure that the WG clearly decided on anything.
At the point when we were revising IKEv2, the revision
to 2401 hadn't been announced yet and we were working
under the assumption that we had to be backwards
compatible with the old model.

> maybe we just have different views of what
> interperability means. I 
> don't think interop is achieved if one peer sends
> traffic that the 
> other peer drops, without any advance notice. 

That is, after all, the way the whole rest of the
Internet works. 

> a
> major goal of the 
> traffic selector negotiation is to determine in
> advance whether 
> communication will be allowed for proposed traffic
> flows. that has 
> always been the case.  we are not changing it in
> 2401bis.

But that's not what it does, really. What is actually
allowed is generally decided at the firewall level,
and it can vary based on a variety of factors such as
dynamic ports or stateful inspection.
 
> Between IKE v2 and 2401bis we hope to provide a much
> better 
> description of how to match traffic selector
> payload, and offered 
> traffic, against SPD entries.

It's always nice to have a better description of the
model, but it's still the wrong model.

> >And then what happens when B needs to send a packet
> >that matches B's selectors from B's policy for A's
> >original packet, but not A's selectors from A's
> >policy. And then what happens when it comes time
> for A
> >to rekey?
> 
> I believe a goal of IKE v2 is to better allow A and
> B to determine 
> where the policies overlap, to reduce the likelihood
> of the sort of 
> potential problems you cite, which not requiring
> exact matches 
> between the SPD entries for A & B.

The problem is that the SPDs of A & B may have
different and incompatible ways to describe local
policies which include a shared policy P. If you have
to negotiate policies, the behaviour of the system is
not necessarily predictable and the results may vary
based on something as subtle as which packet triggers
the initial negotiation. That's not the most robust
way to define a protocol.

Andrew


=====
Andrew Krywaniuk, Fortinet Technologies
Please *do not* reply to this address. (I will not read it)
Reply to askrywan..hotmail..com or my home address.

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

Follow-Ups:
- Re: SPD Syntax Example
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: IANA document
Next by Date: Re: IANA document
Previous by thread: RE: IANA document
Next by thread: Re: SPD Syntax Example
Index(es):
- Date
- Thread