[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is tunnel IP address included in SA?
Hi,
Thanks for all who responded to my question. Now I understand how SAs
are established.
There seems to be several ways to find the tunnel IP address for a
particular destination IP address.
(1) DNS TX record
(2) ISAKMP/Oakley (or other KMPs)
(3) an implementatin-specific way to determine what destination IP
address corresponds to what tunnel IP address. Probably in manual
fashion.
I think that (2) is the way to go ultimately, but at the early stage
of the deployment of IPsec, (1) or (3) seems to be feasible. Is there
any known implementation that is using (1) approach? Does curent BIND
(8.X?) support this RR?
Now I am wondering why people chose the way like this. I guess the way
I initially come up with isn't that bad. That is,
(4) To have one SA for each final destination IP address and such an
SA have a corresponding tunnel IP address.
This approach is considered to be one of the variant of (3) approach,
but the way to have an SA is different. For example,
| |
PC1 -+ +- PC21
| (Internet) |
+-- R1 --- ......... --- R2 ----+
| . |
. +- PC22
R3 |
|
----+---+--
PC3
In the figure above, PC1 sends datagarams to PC21, PC22, and
PC3. Then, R1 should have three SAs like,
SA1 : destIP = PC21, SPI(AH, keyed-MD5, MD5key=xxxxx, tunnelIP= R2)
SA2 : destIP = PC22, SPI(ESP, DES-CBC, DESkey=yyyyy, tunnelIP= R2)
SA3 : destIP = PC3, SPI(AH, keyed-MD5, key=zzz, tunnelIP= R3)
This approach eliminates the need to resolve the tunnel IP address for
each destination IP address by making a tunnel IP address be a part of
SA information.
Any comments?
=====================================
Motonori Shindo
Systems Engineer
Ascend Communications Japan K.K.
email: mshindo@ascend.co.jp
TEL: +81-3-5325-7306
=====================================
Follow-Ups:
References: