[anonsec] BYPASS OR PROTECT
mcr at sandelman.ca
Tue Apr 3 09:29:34 PDT 2007
Nicolas Williams wrote:
> You may also recall that in the case of the core BTNS document the
> access control issue had been about ensuring that BTNS peers not be
> allowed to assert traffic selectors that non-BTNS peers are allowed to
> assert. And recall that we addressed this by providing that the PAD be
> searched twice, once at authentication time and once at CHILD SA
> creation time, the latter to find that the asserted traffic selectors do
> not overlap with ones reserved for non-BTNS peers.
I want to say that Openswan does precisely this when it implements
Opportunistic Encryption a la RFC4322.
More information about the ANONSEC