[anonsec] what I call leap-of-faith

[Nicolas Williams]

On Thu, Mar 23, 2006 at 11:13:04AM -0600, Yu-Shun Wang wrote:
> Finally, I am not sure if adding SPD entries because of BTNS is
> a good idea or not.

Automatically?  No, that'd be mostly a bad idea unless one were very
careful to limit the addresses that can be so bound to keys.  The
problem you get into is a DoS (unintentional even) where clients over
time cause all available dynamically assigned addresses to be so bound
to their keys in their peers' policy databases, which then denies new
clients that obtain those same addresses at future times the ability to
talk to those servers.

>                     Although it seems like the actual policy
> regarding authentication is in PAD in 4301 now, SPD is
> still part of the policy database and I've always thought
> BTNS should be specified by policy but not creating policy?

Yes.

> Maybe this is related to Sam's comments re: API or interfaces
> to SPD? But I thought that's from _outside_ of IPsec such as
> other protocols or apps.

APIs are interfaces.  And yes, it would applications using them.
Anything from IPsec configuration apps (which shouldn't be necessary,
presumably, since you'd expect the native implementor to provide such
applications) to applications that wish to create policy given
contextual information (LoF at clients could be done this way).

Nico
--