[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD Policies - Backward compatibility
OK. Thank you for your and Tero's answers on this subject.
In site-to-site scenario, I also feel that, it can be assumed that
administrator need to know the capabilities of peer gateway.
But this would be a problem in remote access scenario, where peers are
unknown.
Since, rfc2401 capabilities can be exchanged using both IKEv1/v2,
as you indicated, policies can be configured with capabilities given in rfc2401.
I think I can live with this, rather than creating multiple (could be very high)
SA tunnels for each remote user.
Thanks
Ravi
Stephen Kent wrote:
> At 9:33 AM +0530 4/7/04, Ravi wrote:
>
>> Hi,
>> Based on one of the emails, I got an impression that
>> rfc2401-bis is mainly
>> intended for IKEv2. This got me thinking on the compatibility
>> issues.
>>
>> I would assume that, security appliances would be providing
>> both IKEv1/v2
>> and rfc2401/2401bis implementations. In rfc2401bis and IKEv2,
>> there is
>> provision for providing multiple ranges for source and
>> destination selectors.
>> But, rfc2401/ikev1 does not support this combination. Does
>> this mean that, the
>> administrator configuring security policies should have prior
>> (out-of-band)
>> knowledge on remote security gateway capabilities? This does
>> not seem
>> right and I am wondering how do we achieve the backward
>> compatibility where
>> some devices are IKEv2/2401bis capable and some are not.
>>
>> Thanks
>> Ravi
>
>
> Ignoring the ugly issue of manual keying, you will certainly know
> whether a peer is IKEv2 capable when you try to negotiate the IKE SA.
> So, presumably your question is how does a user/admin set up SPD
> entries that take advantage of the new capabilities present in
> 24001bis and IKEv2, prior to knowing the capabilities of a peer? Good
> question.
>
> Knowing the capabilities of the peers for which you have authorized
> communication in the SPD is not out of the question, although I admit
> it is not ideal. Presumably you can start off living with the old
> restrictions, since they represent the status quo, and move to the new
> features as you become more confident that peers have upgraded as
> well. One might adopt a fallback approach, i.e., try to negotiate
> IKEv2 and if it fails, use v1, and map SPD entries into v1
> equivalents, which will result in more SAs.
>
> Steve
>