On Feb 13, 2012, at 3:26 PM, Paul Wouters wrote: > On Sun, 12 Feb 2012, Scott Fluhrer (sfluhrer) wrote: > >>> a) What should the initiator do with packets that suddenly fall >> outside >>> the new narrowed proposal? drop them? send them in plain text? >>> (in other words, I'm trying to define a "local policy") >> >> If the initiators SPD says that a particular packet should be protected, >> it'd be the Wrong Thing to send it in the clear just because it fell >> outside of the proposal that the responder replied with. > > Right, so that likely means the initiator cannot allow any narrowing > (unless you accept it is okay to start an IKE negotiation for each > src/dst combo, which causes lots of delay for the user over establishing > one broad SA)
Not really. Think of an example, where Gw-A has 192.168.3.0/24 behind it, while Gw-B has 192.168.6.0/23 behind it, although on Gw-B it is defined as two /24 subnets. Gw-A might initiate with TS: 192.168.3.0/24<-->192.168.6.0/23, but since the triggering packet is 192.168.3.5-->192.168.6.9, the proposal gets narrowed to 192.168.3.0/24<-->192.168.6.0/24. If later a 192.168.3.5-->192.168.7.10 packet comes around, the SA won't cover it, so it will start a new negotiation that will get narrowed to 192.168.3.0/24<-->192.168.7.0/24. There is no reason why the initiator cannot allow any narrowing. This is supposed to be an improvement over IKEv1 where any mismatch in configuration between the peers resulted in failure to set up a tunnel. I realize that this invalidates the concept of a defined tunnel being either "up" or "down". Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
