ISAKMP SA negotiation

[Jim A Hoagland <jhoagla@ideal.jf.intel.com>]

Hello,

As part of my research in formally specifying security policies for network 
connections, I am looking at ISAKMP and the negotiation of security 
associations.  I have a question that I did not see addressed by the 
ISAKMP Internet Draft (2/21/97) or in the last few months archives of 
this mailing list, so I thought I'd pose it here.

When, for a particular situation, multiple SA proposals are acceptable, how 
does one choose the one to use?

This is how I see things.  The initiator has a set of security policies 
which dictate what SA proposals to make for different contexts (i.e. 
certain types of connections).  These proposals have a certain order of 
preference.  Similarly, the responder have a set of policies for what 
proposals to accept in a particular context.  Again, the responder has 
certain preferences for which it wants to be the outcome.

Now a example to motivate the question.  Site A wants to establish a 
connection with site B.  Consulting its policies, it determines the 
SA proposals for the particular situation.  There are 2 acceptable SAs, P1 
and P2, with the preference being for P1.  So, this is sent in P1, P2 
order in an ISAKMP SA payload.

Now, when site B receives the message, it consults its policies and 
determines what SAs are acceptable to it.  It finds that both P1 and P2 
are acceptable, but that P2 is preferred over P1.  Knowing that site A 
prefers P1, which should site B choose to respond with?

Thank you,

  Jim Hoagland

|*			James A. Hoagland                         *|
|*  Research Assistant, Computer Security Research Lab, UC Davis  *|
|* Grad. Tech. Intern, Internet Security, Intel Architecture Labs *|
|* 	     http://seclab.cs.ucdavis.edu/~hoagland/              *|

---

• Prev by Date: Let's Link
• Next by Date: RE: ISAKMP SA negotiation
• Prev by thread: Let's Link
• Next by thread: RE: ISAKMP SA negotiation
• Index(es):
  • Main
  • Thread