|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
linux-ipsec: Pluto tripping over own feet
Date: Wed Jun 24 1998 - 21:16:21 EDT
One important special case of this is any host-mode setup.
Currently, pluto refuses to perform the required routing commands to implement the SA if the peer's IP address is within the peer's client subnet. The reason is that Pluto does not wish to lose touch with its peer. The situation is symmetric if the peer is Pluto (I can't speak for other IKE implemntations).
This does not seem to be acceptable. What should we do?
My first thought is that Pluto should be able to tell the kernel not to use the SA for UDP port 500 messages (the official IKE port). But that doesn't seem to fit in with routing commands. Packets need to be dealt with based on more than their destination IP number. It seems much more like packet filtering.
Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253
PS: Currently, when Pluto is acting as a Quick Mode initiator, it installs the SA before sending the I2 packet -- a quirk of the implementation. This guarantees that the responder won't understand the packet if the SA applies to it. On the other hand, adjusting this detail doesn't fix the problem: if the I2 packet is lost, it would have to be resent and by that time the SA would have been established. The path continues to be needed anyway for Notification messages. Received on Wed Jun 24 21:35:54 1998
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:22 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |