[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Tero,
> > I think that the IKEv2 document needs to specify which encoding, one
> > of the above or something someone else suggests, MUST be used to
> > enable interoperability.
>
> I think it should use:
>
> TS {
> TSi { ...
> {IP=A, Protocol=TCP, Port=ANY(start=0,end=65535)}
> ...
> }
> TSr { ...
> {IP=B, Protocol=TCP, Port=ANY}
> ...
> }
> }
Is the consequence of such an encoding, i.e., that the default "DROP"
rule at the end of the SPD, loses much of its usefulness intentional?
I.e., such a rule would let any TCP packets go through. Thus if one
anted to only allow, say TCP to port 22, including any fragments, then
the admin would have to insert a rule explicitly saying that ports
0 to 21 and 23 to 65535 should be DROP'ed. It gets a lot worse if
multiple ports are allowed.
I think that the encoding you propose will result in more SPD
configuration errors and make IPsec harder to manage.
Charlie