[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
I'll stop beating this horse after this but I just want to be clear.
the Quick Mode exchange is as follows:
Initiator Responder
----------- -----------
HDR*, HASH(1), SA, Ni
[, KE ] [, IDci, IDcr ] -->
<-- HDR*, HASH(2), SA, Nr
[, KE ] [, IDci, IDcr ]
HDR*, HASH(3) -->
Is the SA above considered a single SA negotiation as specified in the
following sentence?:
A single SA negotiation results in two security assocations-- one
inbound and one outbound.
Or does the SA payload contain multiple SA negotiations (one for AH and
another for ESP)? Or do I have to use (note the seperate SA payloads):
Initiator Responder
----------- -----------
HDR*, HASH(1), SA0, SA1, Ni,
[, KE ] [, IDci, IDcr ] -->
<-- HDR*, HASH(2), SA0, SA1, Nr,
[, KE ] [, IDci, IDcr ]
HDR*, HASH(3) -->
to negotiate and create a IPSec tunnel that uses AH and ESP? If a single
SA payload can only negotiate for one protocol then this needs to be
clearly stated in the isakmp-oakley draft.
Alexei V. Vopilov wrote:
> :
> :Now a single ISAKMP Phase 2 SA negotiation can contain a proposal that
> :specifies both AH and ESP protocols. So shouldn't a single Phase 2 SA
> :negotiation result in four SAs (SA-AH-In, SA-AH-Out, SA-ESP-In, SA-ESP-Out)
> :not two as stated in draft-ietf-ipsec-isakmp-oakley-06.txt?
>
>
> Ipsec arch document just states that _logically_ one SA corresponds to
> exactly one IPsec protocol (ESP or AH) and exactly one SPI value being
> choosen by the traffic receiver.
>
> ISAKMP documents states that (due to the protocol design and it SA payload
> format)
> single phase 2 SA negotiation results, at minimum, to two SAs - one inbound and
> one outbound. However, if a proposal includes both ESP and AH protocols,
> then each would require separate SA and _due to_ ISAKMP design both inbound
> and outbound SAs will be negotiated at the same time. Each will have own SPI!
> (ESP+AH)*(inbound+outbout)=(1+1)*(1+)=4 ;-)))
Does this mean SA0, SA1 payloads need to be created individually and can
only contain 1 protocol in their respective proposals?
> I understand you confusion, because during ISKAMP design time
> the was an attepmt to minimize the computation overhead required for
> establishment of bi-directional secured channel, which is most common
> in the current internetworking.
>
> The ISKAMP authors just, IMO,unreasonably excluded a possibility to negotiate
> exactly one _unidirectional_ SA. That would lead to problems later when
> implementing, say, different policies for inbound and out bound traffic.
>
> :--
> :Will Fiveash
>
> --Alexei
--
Will Fiveash
IBM AIX System Development Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551 Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493 Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904
References: