[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmp doubts

To: ipsec@tis.com
Subject: isakmp doubts
From: pcn@teil.soft.net (P.C.Narasimha Reddy)
Date: Wed, 9 Apr 1997 13:06:09 -0530 (IST)
Cc: pcn@teil.soft.net (P.C.Narasimha Reddy), suren@teil.soft.net (S. Arockia Suren)
Sender: owner-ipsec@ex.tis.com


hi

	I am having some doubts about the isakmp+oakley,
	can anyone please clarify them.

	1) Is the SPI space used by the various protocols
	defined anywhere? In page 16 of the ISAKMP draft
	it says that "Each security protocol has its own
	SPI-space."

	2) Is SPI unique on a host? Or is it unique for
	a particular destination IP address in the
	SA Data Base?

	3) A "PROPOSAL" contains details of one "PROTECTION
	SUITE", and a "PROTECTION SUITE", may contain many
	"SECURITY PROTOCOLS". But SPI is part of the 
	proposal payload, and one proposal payload is used
	to give the details of one "SECURITY PROTOCOL" only.
	To give details of more than one "SECURITY PROTOCOL"
	in a proposal we use multiple proposal payloads with
	the same proposal# (proposal number). So there can
	be different SPI values for the "SECURITY PROTOCOLS"
	within the same "PROPOSAL"(ie. multiple proposal
	payloads with the same proposal number)? 
	So my doubt is whether it is mandatory to use different
	SPI values for different "SECURITY PROTOCOLS" within the
	same "PROPOSAL"?
	Or is it mandatory to use the same SPI value?
	In the case where different SPI values are mandatory, how
	is a SA identified, because an SA will then have more than
	one SPI values(one for each "SECURITY PROTOCOL")?

	4) The different Exchanges defined in the ISAKMP have
	a defined set of messages to be exhanged to negotiate the
	ISAKMP SA and the IPSEC SA later. How do you handle
	the issue of "TIMEOUT" and "RE-TRANSMITION" of messages
	during these Exchanges? Is there an agreed upon way as
	to how we should handle this issue? I feel that this
	issue needs an agreed upon standard solution for 
	interoperability reasons.

	5) ISAKMP can be used to negotiate multiple SA's between
	two entities. So when there are multiple active SA's 
	between any two nodes, how do I decide which of the
	active SA to use for the outgoing traffic? Because
	in IPSEC, the securing of the IP packets is done
	in the IP layer, And in the IP layer the information
	of which process had generated this IP packet is all
	lost, this information is only available in the socket
	layer. When we have a very dynamic situation where we have
	each user on the system, using his own ID_USER_FQDN
	(example piper@foo.bar.com) and each user negotiates
	an SA for his use. So we will ultimately have a 
	situation where there are more than one active SA
	between two nodes(nodes that are identified by IP addresses).
	Here when the IP layer is securing outgoing traffic, it
	has to use the SA corresponding to the perticular user,
	so it has to know which process has generated this traffic,
	and who is the owner of that process. How can this situation
	be supported using IPSEC?
	
	6) In a "Video on demand" application, it is logical to have
	just encryption from the service provider to the customer, and
	to have just Authentication from the customer to the service
	provider traffic. In this situation there is a requirement for
	two SA's to the same destination IP address, one for outgoing
	traffic only and another for incoming traffic only. How do I
	negotiate such SA's using ISAKMP?

Thanks in advance
regards
narasimha
E-mail: pcn@teil.soft.net

Prev by Date: Re: Slicing and Dicing in new-esp
Next by Date: Re: IPSec MIB
Prev by thread: RE: isakmp doubts
Next by thread: Effective policy enforcement
Index(es):
- Main
- Thread