[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DOI Question (General, Not IP Specific)

To: weaver@hydra.dra.hmg.gb
Subject: Re: ISAKMP DOI Question (General, Not IP Specific)
From: Ran Atkinson <rja@cisco.com>
Date: Wed, 18 Dec 1996 10:51:29 -0800
Cc: ipsec@tis.com
In-Reply-To: <199612181743.MAA15608@relay.hq.tis.com>
Organization: cisco Systems
Sender: owner-ipsec@ex.tis.com

In article <199612181743.MAA15608@relay.hq.tis.com> Elfed Weaver wrote:
>> Date:          Wed, 18 Dec 1996 11:51:54 -0500
>> From:          ho@earth.hpc.org (Hilarie Orman)
>> To:            weaver@hydra.dra.hmg.gb
>> Cc:            ipsec@tis.com
>> Subject:       Re: ISAKMP DOI Question (General, Not IP Specific)
>
>> >   > - There can only be one SA between two machines at a given time.
>> 
>> >   I suppose this depends on who owns the SA i.e. if the owner of an SA 
>> >   is identified by the IP addr only (and a host only has one IP addr) 
>> >   then IMHO there can be only one pair of unidirectional SAs between any pair of 
>> >   machines.
>> 
>> Why?  The SA has an identifier; you can several SA's for the same identities
>> without fear of confusion.
>
>On the down call (or outbound), there is no notion of a SPI, the information 
>available to identify an SA is Dest Addr and Port No (and possibly 
>user id)

For all outbound traffic, ipsec_output_policy() [or its equivalent]
knows at least these data items for an outbound IP packet that 
is to use IPsec:
	Protocol in use (TCP, UDP, ICMP, etc)
	Source Address
	Source Port (if TCP or UDP are in use)
	Destination Address
	Destination Port (if TCP or UDP are in use)

Additionally, a good IPsec implementation will also know:
	Source Identity for this session
	Destination Identity for this session
	[NB: "identity" might be IP address, IP Addr+ULP+Port, 
		FQDN, USER_FQDN or whatever]

A good IPsec implementation would probably also add information about which SA
is being used currently for a particular session to that session's socket
state (or the non-BSD equivalent of socket state).  For example, in
session-unique keying it is important to keep the right SA associated with the
right IP session.

Note that if IPsec Policy [or its equivalent] knows these data items, then a
key management daemon using PF_KEYv2 can be informed by the kernel of these
data items and hence can use these data items in creating new IPsec SAs as
necessary.

I don't think there is any problem picking the correct SA to use for outbound
IPsec processing.  It is a requirement of the current Proposed Standard RFCs
that a pair of IPsec nodes be able to have more than one IPsec SA in use
between those nodes.  An IPsec implementation that is limited to one IPsec SA
per destination is not conforming to the current specifications.

Ran
rja@cisco.com

References:

Re: ISAKMP DOI Question (General, Not IP Specific)

From: "Elfed T. Weaver" <weaver@hydra.dra.hmg.gb>

Prev by Date: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by Date: RE: FW: tunnel mode
Prev by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Index(es):
- Main
- Thread