Re: [Ipsec] Blocking traffic using opaque

[Stephen Kent <kent at bbn.com>]

At 7:08 PM +0530 4/5/05, Tatineni SriRama Kumar wrote:
> Hi All,
>   As per point C and D  in section 4.4.1.3 of 2401bis, traffic will 
> be passed in only one direction. Based on this I have following 
> questions.
>
> 1. How configuration specified in point B of same section allows 
> traffic in both directions.

Item B in 4.4.1.3 addresses the case where there is only 1 selector 
corresponding to the port field. Te use of OPAQUE here is just a 
convention for IKE negotiation re such protocols. This does not 
affect the S/D address aspect of SPD entry symmetry. So, an entry of 
the sort described in B enables bidirectional traffic flows for a 
protocol such as the Mobility Header, IF there are corresponding SPD 
entries at each end.

> 2. If configuration specified in points B,C and D allows traffic in 
> one direction only, what should be the configuration to allow 
> traffic in both directions.

Items C + D in 4.4.1.3 explicitly are intended to NOT allow 
bidirectional traffic flow for a protocol that is NOT bidirectional, 
so your question is not meaningful in these cases.  If you did not 
use the conventions described here, then bidirectional flows will be 
enabled, by default.

Steve

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec