[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Which SPD we have to use ?



Srinivas,

>w.r.t draft-ietf-ipsec-isakmp-08.txt.
>
>When an outgoing packet does not find any SA associated with it and if
>IPSEC process has to be applied on it, then we have start negotiating. For
>this we have to send proposals (may be more than one) to the responder.
>
>* Whether the proposal to be sent are from INBOUND SPD or OUTBOUND SPD at
>the initiator?
>
>* How does the responder selects the SPD entry when he receives the
>proposals? Because selectors are not available. Whether he selects INBOUND
>SPD or OUTBOUND SPD?

I would expect the initiator to send a proposal consistent with his
OUTBOUND SPD, and the responder will match that against his INBOUND SPD.
We've refined the IPsec Arch Doc over time to try to make the selector set
consistent with the DOI proposals, so matching between the two should work.

>* I feel for one negotiation all together 4 SAs are created like.
>
>Initiator - Inbound and Outbound SA -- 2 SAs
>Responder - Inbound and Outbound SA -- 2 SAs
> Total 4 SAs Am I right ?

No, only two SAs are created, 1 in each direction between initiator and
responder.  The notion of INBOUND and OUTBOUD is local for each end; one SA
has an OUTBOUND SPD binding at one end and an INBOUND SPD binding at the
other end, but it's still the same SA.

>And if any one of this SA timed out (hard life time), then do we need to
>terminate all the 4 SAs? How?

In principle the 2 (not 4) SAs are independent, but in practice they are
created in pairs, so I would expect a pair that was created together to be
terminated (and maybe replaced) together.  However, I'll defer to my IKE
friends on this one.

>* Once the negotiation is over how does the initiator and responder links
>the INBOUND and OUTBOUND SAs with corresponding INBOUND and OUTBOUND SPD
>entry. For all 4 SAs that are created.

It is a local matter how this is done, although the Arch Doc notes the need
to establish and maintain such a linkage.

>* What happens when a INBOUND SA's SoftLifeTime is timed out. Will it start
>renegotiation. I feel only OUTBOUND SA can initiate the renegotiation process.

Good question.  Again, I'll defer to the IKE experts.

>* If an SA is timed out (hard life time) do we need to delete all the SAs
>in the SA bundle to which it corresponds to.

Not necessarily.

Steve




Follow-Ups: