[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: ISAKMP: Preventing SPD addition?
From:       Jean-Francois Dive <jef () linuxbe ! org>
Date:       2002-10-29 2:49:28
[Download RAW message or body]

then you're in the right and standard scenario to use
isakmpd properly. Phase 2 negociation is there just for
that: tell which bit of the traffic is gonna be encrypted
(aka: define the selectors)...

Jef

On Mon, Oct 28, 2002 at 06:04:45PM -0800, Mike Neuman wrote:
> > What i dont get is why dont you simply negociate
> > multiple phase
> > 2 SA's:
> > - one for ICMP.
> > - one for TCP traffic on port whatver ?
> 
>   Well, I'm trying to avoid the case where a client
> can "upgrade" the server to using encryption. I want
> to have fine grained control so that my policy can
> say:
> 
> - Client MUST use esp for tcp/23
> - Client MUST NOT use esp for anything else
> 
>   The answer is probably right under my nose, in the
> form of isakmpd.policy. It's just not obvious to me
> what "local_filter_port" and "local_filter_proto"
> actually mean. Are these referring to the port & proto
> of the ISAKMP daemon or of the SPD which caused the
> isakmp negotiation?
> 
> -Mike
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/

-- 

-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity.  - _The Holographic Universe_, Michael Talbot

[prev in list] [next in list] [prev in thread] [next in thread]