Re: ISAKMP DOI Question (General, Not IP Specific)

[Stephen Kent <kent@bbn.com>]

I've been away on vacation, so pardon my tardy comments on this toipic. (At
least I tried to read the whole thread before commenting ...)

Ran did a good job of describing an IPSEC processing selector function,
something that also I described in my presentation at the WG meeting a
couple of weeks ago.  This function examines a set of parameters derrived
from the packet and/or passed along as PCI (e.g., the ones cited by Ran
and, optionally, a security level is appropriate) to select the sequence of
SAs to be applied to an outbound datagram.  The parameters are defined by
the security policy in force locally, and by what has been negotiated in
the course of establishing SAs with other IPSEC sites.

Note that an outbound datagram may be subjected to more than one layer of
IPSEC processing, e.g., a transport mode AH above a tunnel mode ESP that
terminates at a security gateway).  Thus I've assumed that the output of
the selection function would be not just one SA, but a sequence of SAs
(which may, of course, be just one SA). This also suggests that it is not
sufficient to specific the processing by using an SPI passed down by a
higher layer protocol, since an SPI idetifies just one SA.  So, on a
multi-user end system, in addition to the need to  prevent one user from
being able to request processing under the imprimateur of another user, in
general there is a need to support a sequence of IPSEC processing steps,
involving multiple SAs.


Steve

---

References:

• Re: ISAKMP DOI Question (General, Not IP Specific)
• From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
• Re: ISAKMP DOI Question (General, Not IP Specific)
• From: Oliver Spatscheck <spatsch@cs.arizona.edu>

---

• Prev by Date: Re: IPsec and TCP
• Next by Date: Q re procol values in draft-ietf-ipsec-isakmp-06.txt
• Prev by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
• Next by thread: DOIs
• Index(es):
  • Main
  • Thread