Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06

[Will Fiveash <will@austin.ibm.com>]

I'll stop beating this horse after this but I just want to be clear.  
the Quick Mode exchange is as follows:

        Initiator                        Responder
       -----------                      -----------
        HDR*, HASH(1), SA, Ni
          [, KE ] [, IDci, IDcr ] -->
                                  <--    HDR*, HASH(2), SA, Nr
                                               [, KE ] [, IDci, IDcr ]
        HDR*, HASH(3)             -->

Is the SA above considered a single SA negotiation as specified in the
following sentence?:

   A single SA negotiation results in two security assocations-- one
   inbound and one outbound.

Or does the SA payload contain multiple SA negotiations (one for AH and
another for ESP)?  Or do I have to use (note the seperate SA payloads):

        Initiator                        Responder
       -----------                      -----------
        HDR*, HASH(1), SA0, SA1, Ni,
          [, KE ] [, IDci, IDcr ] -->
                                  <--    HDR*, HASH(2), SA0, SA1, Nr,
                                            [, KE ] [, IDci, IDcr ]
        HDR*, HASH(3)             -->

to negotiate and create a IPSec tunnel that uses AH and ESP?    If a single
SA payload can only negotiate for one protocol then this needs to be
clearly stated in the isakmp-oakley draft.

Alexei V. Vopilov wrote:
> :
> :Now a single ISAKMP Phase 2 SA negotiation can contain a proposal that
> :specifies both AH and ESP protocols.  So shouldn't a single Phase 2 SA
> :negotiation result in four SAs (SA-AH-In, SA-AH-Out, SA-ESP-In, SA-ESP-Out)
> :not two as stated in draft-ietf-ipsec-isakmp-oakley-06.txt?
> 
> 
> Ipsec arch document just states that _logically_ one SA corresponds to
> exactly one IPsec protocol (ESP or AH) and exactly one SPI value being
> choosen by the traffic receiver.
> 
> ISAKMP documents states that (due to the protocol design and it SA payload
> format)
> single phase 2 SA negotiation results, at minimum, to two SAs - one inbound and
> one outbound. However, if a proposal includes both ESP and AH protocols,
> then each would require separate SA and _due to_ ISAKMP design both inbound
> and outbound SAs will be negotiated at the same time. Each will have own SPI!
> (ESP+AH)*(inbound+outbout)=(1+1)*(1+)=4  ;-)))

Does this mean SA0, SA1 payloads need to be created individually and can
only contain 1 protocol in their respective proposals?

> I understand you confusion, because during ISKAMP design time
> the was an attepmt to minimize the computation overhead required for
> establishment of bi-directional secured channel, which is most common
> in the current internetworking.
> 
> The ISKAMP authors just, IMO,unreasonably excluded a possibility to negotiate
> exactly one _unidirectional_ SA. That would lead to problems later when
> implementing, say, different policies for inbound and out bound traffic.
> 
> :--
> :Will Fiveash
> 
> --Alexei

-- 
Will Fiveash    
IBM AIX System Development        Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551   Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493  Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904

---

References:

• Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
• From: "Alexei V. Vopilov" <alx@elnet.msk.ru>

---

• Prev by Date: Revised Pre-Shared and Public Key Sig modes??
• Next by Date: Proposal to formalize the Notification Data field
• Prev by thread: Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
• Next by thread: Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
• Index(es):
  • Main
  • Thread