On Sat, Jun 28, 2003 at 07:44:05AM +0400, kuznet@ms2.inr.ac.ru wrote: > > This one is inacceptable. Extension of firewalling rules is good thing, > but IKE must not depend on this. I agree. > I understood the point. But I still cannot figure out how to solve this. > > What could you suggest? The first question, is it _really_ enough > to block transformed packets unless they are explicitly prescribed in policy? > Only tunnel mode ones? This would at least bring us in line with what's already out there. Are there any other problems that you can think of? In fact, reading RFC 2367 and 2401 again, the solution is completely specified in there :) All tunnel SAs must carry source/destination identities with them which will in turn be used to check the inner source/destination addresses. I'm happy to write the code for this unless you guys object to this solution. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
