[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-tech
Subject: Re: ISAKMP: Preventing SPD addition?
From: Jean-Francois Dive <jef () linuxbe ! org>
Date: 2002-10-29 2:49:28
[Download RAW message or body]
then you're in the right and standard scenario to use
isakmpd properly. Phase 2 negociation is there just for
that: tell which bit of the traffic is gonna be encrypted
(aka: define the selectors)...
Jef
On Mon, Oct 28, 2002 at 06:04:45PM -0800, Mike Neuman wrote:
> > What i dont get is why dont you simply negociate
> > multiple phase
> > 2 SA's:
> > - one for ICMP.
> > - one for TCP traffic on port whatver ?
>
> Well, I'm trying to avoid the case where a client
> can "upgrade" the server to using encryption. I want
> to have fine grained control so that my policy can
> say:
>
> - Client MUST use esp for tcp/23
> - Client MUST NOT use esp for anything else
>
> The answer is probably right under my nose, in the
> form of isakmpd.policy. It's just not obvious to me
> what "local_filter_port" and "local_filter_proto"
> actually mean. Are these referring to the port & proto
> of the ISAKMP daemon or of the SPD which caused the
> isakmp negotiation?
>
> -Mike
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
--
-> Jean-Francois Dive
--> jef@linuxbe.org
There is no such thing as randomness. Only order of infinite
complexity. - _The Holographic Universe_, Michael Talbot
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic