[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Gateway Discovery-Architecture Proposal

To: "Abdallah Rayhan" <arayhan@xxxxxxxxxxxxxxxxxx>, IPSP List <ipsec-policy@xxxxxxxx>
Subject: Re: Gateway Discovery-Architecture Proposal
From: Matthew Condell <mcondell@xxxxxxx>
Date: 15 Sep 2000 17:21:39 -0000
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Reply-to: mcondell@xxxxxxx
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Abdallah,

Thank you for taking the time to sketch out several examples.
However, I think you have failed to address the concerns I 
expressed.

First, your examples seem to have a couple of implied assumptions:
1) SG1 and SG4 both have policies that require an ESP tunnel between
   them.
2) When you say a SG has a "No ESP" policy, it means that the SG will
   not allow an ESP protected message to pass through it, but its
   policy, and the policies of SG1 and SG4 allow the alternative
   of ending the tunnels at the SG.

When I have been referring to a SG having a No ESP policy, I've meant
that the policy means no ESP may pass through and there are no
alternative solutions so the communication must be denied.

With those assumptions down, I think I can explain a case that I
am concerned about better.

This is similar to your Case 1.B:
>Case 1: SG1 performs Discovery/IKE/Resolution and has no policy 
>        restrictions from SG2.
>    B- SG4 performs Discovery/Resolution with SG1 but SG3 has 
>       "NO ESP" policy

However, SG1 does *not* require an ESP tunnel with SG4 (but doesn't 
prohibit one) and SG4 does require the tunnel.  No ESP is interpreted
as I have meant it to simplify the policies.

At step 1.B.8 in your example, the IKE negotiation stops at SG3, 
because SG3's policy prohibits an ESP tunnel, if I understand the
example correctly.  

However, in my example, no policy will have yet been resolved that
will indicate to SG3 that an ESP tunnel is being requested, since SG1
does not require an ESP tunnel, so I presume it would continue on as
step 1.A.8 and 1.A.9 does.  At 1.A.9, the resolution protocol will
discover that there will be an ESP tunnel from SG1 to SG4, however
SG3 can no longer participate in the policy resolution to complain
about the tunnel.


Here's a similar example, that avoids "No ESP" policies:

Using the same SG1-4:

SG1, SG4 both require an ESP tunnel between them.
SG3 requires an ESP tunnel with SG2 
(SG2 does not prohibit it)

Steps 1.A.1 - 1.A.6 from your examples would apply here, I believe.
However, in 1.A.6, the policy resolution between SG1 and SG3 would be 
hidden from SG2, so SG2 would not have a say in the policy of a tunnel
between it and SG3.  (Which might be okay if SG2 does not object to 
the tunnel, but what if it does?)

Hope this clarifies my concerns,

Matt

Follow-Ups:
- Re: Gateway Discovery-Architecture Proposal
  - From: Abdallah Rayhan

Prev by Date: Re: Gateway Discovery-Architecture Proposal
Next by Date: Re: Gateway Discovery-Architecture Proposal
Previous by thread: Re: Gateway Discovery-Architecture Proposal
Next by thread: Re: Gateway Discovery-Architecture Proposal
Index(es):
- Date
- Thread