[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DOI Question (General not IP Specific)

To: isakmp-oakley@cisco.com
Subject: Re: ISAKMP DOI Question (General not IP Specific)
From: "Elfed T. Weaver" <weaver@hydra.dra.hmg.gb>
Date: Thu, 19 Dec 1996 12:34:35 +0000
CC: ipsec@tis.com
Comments: Authenticated sender is <weaver@hydra.dra.hmg.gb>
Sender: owner-ipsec@ex.tis.com

Originally Richard Waterhouse wrote:

>The following statement is reported to have been made at an ISAKMP
>meeting yesterday

>- There can only be one SA between two machines at a given time.
>Therefore since there can only be one DOI to an SA, there can only be
>one DOI active between two machines at a given time. 

Elfed Weaver replied:

>I suppose this depends on who owns the SA i.e. if the owner of an SA 
>is identified by the IP addr only (and a host only has one IP addr) 
>then IMHO there can be only one pair of unidirectional SAs between any pair of 
>machines. Clearly, if SAs are  associated with protocol numbers, user 
>ids ?..., then many SAs can exist between any pair of hosts. 

            The intent of my reply was to state that the number SAs that can 
            exist between two machines depends on the granularity of the 
            information available to identify an SA.

Hilarie wrote:

>Why?  The SA has an identifier; you can several SA's for the same identities
>without fear of confusion.

Elfed Weavers response:

>On the down call (or outbound), there is no notion of a SPI, the information 
>available to identify an SA is Dest Addr and Port No (and possibly 
>user id)

            My interpretation of Hilaries comment was that an explicit SA 
            identifier existed which permitted an "identity" - however fine the 
            identity granularity is - to own more than one SA for communicating 
            with the same peer entity. Possibly I have misinterpretted the 
            comment. 

If two physical "identities" wished to have more than one SA existing 
between them i.e. they require to exchange information at different 
security levels , then surely they would have to provide more 
information to allow the correct SA to be selected/used by IPsec. 
Thus providing a finer  granularity for SA identification .

This I believe is the essence of Rans comments and I quote from Rans 
comments:

      "[NB: "identity" might be IP address, IP Addr+ULP+Port, FQDN, 
         USER_FQDN or whatever]"

Elfed

****************************************************

Elfed T. Weaver
Defence Research Agency
Malvern
UK

weaver@hydra.dra.hmg.gb

Prev by Date: RE: SA Attribute Negotiation
Next by Date: Length field and ISAKMP-encrypted size
Prev by thread: DOIs
Next by thread: Length field and ISAKMP-encrypted size
Index(es):
- Main
- Thread