[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] Security Considerations (pass 2)

To: ipseckey@sandelman.ca
Subject: Re: [IPSECKEY] Security Considerations (pass 2)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 26 May 2003 13:33:25 -0400
In-reply-to: Your message of "Mon, 26 May 2003 11:22:36 EDT." <20030526152236.9F3CE18C5@thrintun.hactrn.net>
Sender: owner-ipseckey@sandelman.ottawa.on.ca

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Rob" == Rob Austein <sra+ipseckey@hactrn.net> writes:
    Rob> At Mon, 26 May 2003 10:20:45 +0200, Jean-Jacques Puig wrote:
    >> 
    >> That's good question. Besides, on the server side, section 3.1 mandates:
    >> 
    >> If no gateway is to be indicated, then the gateway type field MUST be
    >> zero, and the gateway type MUST be "."
    >> 
    >> BTW, s/gateway type/gateway field/ ?

    Rob> The second one, yes ('the gateway type MUST be "."'), good catch.

  Thank you.

    >> Is there a peticular difference between the following 2 cases ?
    >> 
    >> - No gateway (type=0 gateway=".")
    >> - The gateway is the same as the RR owner (ex: type=1
    >> gateway=192.0.2.38)
    >> 
    >> I would take type=0 as a clue that the host will accept transport mode
    >> SA, and (type != 0 && address == RR_owner) as a clue that the host will
    >> take only tunnel mode proposals. Is it the original intent ?

    Rob> Michael will have to speak to intent, but I didn't read it that way.
    Rob> I read the two cases as semantically equivalent, and had assumed that
    Rob> the choice of tunnel vs transport mode was something to be negotiated
    Rob> by the parties involved.

  No intent is implied by this document.
  My opinion is that you would need to write a use-case document that
explains how to you are using the record.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPtJP5IqHRg3pndX9AQHXkQQAtjtTRS7+3gFSJ9nwY7K6HDYoWsEVgREw
pgLPsHLr2FoFuTRH0qKeT7gQ2n6d3yesyupo0Hma3+Xo8xuc7AdB4WIrJYbk7Xm5
k0TjtIGMKlo/ji0+J5mw0j6CGN+pi7Bet3pozmyRpHGcFSfM6j3GYIM48mO4fMlg
/67MiAA6nRM=
=Nqeh
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.

Follow-Ups:
- Re: [IPSECKEY] Security Considerations (pass 2)
  - From: Jean-Jacques Puig <Jean-Jacques.Puig@int-evry.fr>

References:
- Re: [IPSECKEY] Security Considerations (pass 2)
  - From: Rob Austein <sra+ipseckey@hactrn.net>

Prev by Date: Re: [IPSECKEY] Security Considerations (pass 2)
Next by Date: [IPSECKEY] ultimate nits ?
Prev by thread: Re: [IPSECKEY] Security Considerations (pass 2)
Next by thread: Re: [IPSECKEY] Security Considerations (pass 2)
Index(es):
- Date
- Thread