Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
>> What could occur is that I could remove the very specific remoteip= in
>> the policy, and have a less specific policy that accepted a connection
>> for remoteid=* from any IPv6-LL. I'm not really crazy about that
>> solution.
> No, it might even open a chink in the security armour.
Not really that much.
The thing that it does is that, when the actual B->A policy comes along, it's
not clear how one should deal with the specific remoteid=FOO policy that was
created from the remoteid=* template. It will show up as a duplicate
PARENT SA, and one or the other will get deleted (RFC7296, section 2.8.2),
but both policies will presist, and they could wind up doing dumb things,
trampling on each other.
>> I'm not actually sure that there is a problem. The issue is noise.
> Indeed. Fix it with more noise (randomization).
Yes, I agree. The noise that I'm actually thinking about here is in the logs.
It looks like something bad happened, but actually, it's not a problem. When
I first saw the log entry, I thought I'd broken something in the certificates,
or
something.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
