[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
why single value destipaddress in SA selector
Hello,
According to the Ipsec Architecture RFC, Destination address part of
selectors can have single, range, wildcard in SPD but SA can have only
single IP address. Why is it so? Why can't we have range or wildcard in SA
dest ip address part of selectors as in SPD.
We are implementing Manual Key Management MKM.
For inbound policies, SAs have to be created before any packet matching a
policy comes in. So, in MKM we are creating SAs for inbound policies at
system startup.
H2
/
H1 ---- SG1 -- H3
\
H4
Consider an example wherein there are policies at H1 and SG1 saying host H1
can have ESP tunnel upto SG1 for any of the hosts beyond SG1.
Assume SG1 is connected to H2, H3 and H4 on 192.9.100.0 subnet and SG1
address is 192.9.100.1 and H2 is 192.9.100.2, 100.3 for H3 and 100.4 for H4
So SPD policy selectors at SG1 would be
Srcipaddr destipaddr
H1 192.9.100.0
As SA selector destipaddress is only single value we are forced to create
3 SAs with selector destipaddress as 192.9.100.2 in one SA and 192.9.100.3
in second SA and 192.9.100.4 in third SA which seems to be an overkill. If
wildcard or range was allowed, creation of one SA with selector
destipaddress as 192.9.100.0 would Suffice with the outer IP header dest
address set to the SG2 IP address.
Thanking you in anticipation.
Padma
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
*Padma Goli |
*Rendzevous Onchip Pvt Ltd. |
*First Floor, Plot No 14 |
*New Vasavi Nagar, Karkhana |
*Secunderbad -500019. |
*Phone No : (040)7742606 |
*email address : padma@trinc.com |
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Follow-Ups: