[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

why single value destipaddress in SA selector

Hello,


According to the Ipsec Architecture RFC, Destination address part of
selectors  can have single, range, wildcard in SPD but SA can have only
single IP address. Why is it so?  Why can't we have range or wildcard in SA
dest ip address part of selectors as in SPD.

  We are implementing Manual Key Management MKM. 

For inbound policies, SAs have to be created before any packet matching a
policy comes in. So, in MKM we are creating SAs for inbound policies at
system startup.
                                  H2
                                /
                  H1 ---- SG1    -- H3
                                \
                                  H4


Consider an example wherein there are policies at H1 and SG1 saying host H1
can have ESP tunnel upto SG1  for any of the hosts beyond SG1.
Assume   SG1 is connected to H2, H3 and H4 on 192.9.100.0 subnet and SG1
address is 192.9.100.1 and H2 is 192.9.100.2,  100.3 for H3 and 100.4 for H4

So SPD policy selectors at SG1 would be 

		Srcipaddr   destipaddr      
		 H1          192.9.100.0


As SA selector destipaddress is only single value we are forced  to create
3 SAs with  selector destipaddress as 192.9.100.2 in one SA and 192.9.100.3
in second SA and 192.9.100.4 in third SA which seems to be an overkill.  If
wildcard or range was allowed, creation of one  SA with selector
destipaddress as 192.9.100.0  would Suffice with the outer IP header dest
address set to the SG2 IP address.



Thanking you in anticipation.

Padma
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
*Padma Goli                        |
*Rendzevous Onchip Pvt Ltd.        |
*First Floor, Plot No 14           |
*New Vasavi Nagar, Karkhana        |
*Secunderbad -500019.              |
*Phone No : (040)7742606           |
*email address : padma@trinc.com   |
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Follow-Ups: