[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: why single value destipaddress in SA selector
Padma,
>>According to the Ipsec Architecture RFC, Destination address part of
>>selectors can have single, range, wildcard in SPD but SA can have only
>>single IP address. Why is it so? Why can't we have range or wildcard
>>in SA dest ip address part of selectors as in SPD.
You're right. We will change the 2nd entry in the table on page
21 from:
Field Traffic Value SAD Entry SPD Entry
-------- ------------- ---------------- --------------------
src addr single IP addr single,range,wild single,range,wildcard
--> dst addr single IP addr single IP addr single,range,wildcard
to:
Field Traffic Value SAD Entry SPD Entry
-------- ------------- ---------------- --------------------
src addr single IP addr single,range,wild single,range,wildcard
--> dst addr single IP addr single,range,wild single,range,wildcard
>>For inbound policies, SAs have to be created before any packet
>>matching a policy comes in. So, in MKM we are creating SAs for inbound
>>policies at system startup.
>> H2
>> /
>> H1 ---- SG1 -- H3
>> \
>> H4
>>
>>Consider an example wherein there are policies at H1 and SG1 saying
>>host H1 can have ESP tunnel upto SG1 for any of the hosts beyond SG1.
>>Assume SG1 is connected to H2, H3 and H4 on 192.9.100.0 subnet and SG1
>>address is 192.9.100.1 and H2 is 192.9.100.2, 100.3 for H3 and 100.4 for
>>H4
Just to be sure that I've addressed the question you're
asking... There are 2 kinds of "Destination Address" referred
to in this document when talking about SAs and the SAD.
a) The Destination Address as "index to SAD" -- used by the
receiver (along with SPI and IPsec protocol) to look up the
SA to use for a given packet. If the SA is tunnel mode,
then this Destination Address is the one in the outer
header (not the inner IP header) and is the single value
that refers to the the receiver. (There is no ambiguity if
the SA is transport mode. *This* Destination Address is
always a single value.
b) The Destination Address as a "selector" -- [from page
22] "For the sender, these values are used to decide
whether a given SA is appropriate for use with an outbound
packet. This is part of checking to see if there is an
existing SA that can be used. For the receiver, these
values are used to check that the selector values in an
inbound packet match those for the SA (and thus indirectly
those for the matching policy)." This Destination Address
could have the value single/range/wildcard.
So looking at your example, suppose the IP address for H1 is
192.1.2.3 and the IP address of the SG1 interface facing towards
H1 is 192.2.3.4. While the policy you describe is for traffic
from H1 to H2/H3/H4, the SA you describe is from H1 to SG1. So
in your example, the SA terminates at SG1. Therefore, if there
were traffic flowing from H1 to one of the hosts, H2/H3/H4, then:
a) at H1,
- there is an outbound SPD entry saying that traffic
from H1 to H2/H3/H4 must be protected by a tunnel to
SG1.
- there is an outbound SAD entry for an SA with a
"selector" Destination Address for a range covering
H2/H3/H4
b) at SG1,
- there is an inbound SPD entry saying that traffic from
H1 to H2/H3/H4 must be protected by a tunnel to SG1.
- there is an inbound SAD entry for an SA with
+ an "index" Destination Address of 192.2.3.4,
+ a "selector" Destination Address for a range
covering H2/H3/H4
If you had an additional policy requiring transport SAs from H1
to H2/H3/H4, then
c) at H1,
- there would be an outbound SPD entry requiring that
traffic from H1 to H2/H3/H4 be protected by a
transport SA to H2/H3/H4. (This is in addition to the
SPD entry described in (a) above.)
- there would be 3 separate outbound SAD entries
- one w/ "selector" Dest. Addr. of H2 (192.9.100.2)
- one w/ "selector" Dest. Addr. of H3 (192.9.100.3)
- one w/ "selector" Dest. Addr. of H4 (192.9.100.4)
d) at H2,
- there'd be an inbound SPD entry requiring that traffic
from H1 to H2 be protected by a transport SA
- there'd be an inbound SAD entry for an SA with:
+ an "index" Destination Address of 192.9.100.2
+ a "selector" Destination Address of 192.9.100;2
e) at H3,
- there'd be an inbound SPD entry requiring that traffic
from H1 to H3 be protected by a transport SA
- there'd be an inbound SAD entry for an SA with:
+ an "index" Destination Address of 192.9.100.3
+ a "selector" Destination Address of 192.9.100.3
f) at H4,
- there'd be an inbound SPD entry requiring that traffic
from H1 to H3 be protected by a transport SA
- there'd be an inbound SAD entry for an SA with:
+ an "index" Destination Address of 192.9.100.4
+ a "selector" Destination Address of 192.9.100.4
Karen