[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some questions

To: ipsec@tis.com
Subject: Some questions
From: "Valery Smyslov" <svan@elvis.ru>
Date: Tue, 12 May 1998 19:19:18 +3
Comments: Authenticated sender is <svan@ss10>
Organization: Elvis+
Sender: owner-ipsec@ex.tis.com

Hi all,

I have some questions regarding IPsec processing.

1. As stated in ISAKMP and IKE drafts, when initiator sends SA 
payload containing several Proposal payloads (each of them may 
contain several Transform payloads), responder MUST reply with only 
one Proposal (or with some if they define a protection suit, thus 
having the same Proposal number) containing only one transform. Then 
initiator creates 2 SAs (outbound and inbound) using returned (and so 
selected by the peer) transform and its attributes. It assumes that 
both SA (in each direction) will use the same transform (e.g. 
algorithm with its attributes) and will differ only in their keys. Is 
this reading correct? If so, one cannot create asymmetrical SA with 
ISAKMP, for example, using DES in one direction and IDEA in the 
other, that might be useful under some circumstances.

2. Regarding previous question: when protection suite (e.g. sequence 
of SAs) is negotiated, what should be the order of appliance of those 
SAs when processing an outgoing packet? Should it be the same as the 
order in which their proposals appear in the ISAKMP SA Payload? It is 
very natural, but it seems that IPsec drafts doesn't state this 
explicitly.

Thanks in advance,
Valery Smyslov.

Follow-Ups:

Re: Some questions

From: Daniel Harkins <dharkins@cisco.com>

combining SA proposals in IKE [was: Some questions]

From: "D. Hugh Redelmeier" <hugh@mimosa.com>

Prev by Date: Re: Some questions
Next by Date: 40bit DES?
Next by thread: RE: [Karen Seo: Thomas Narten -- clarification, etc.]
Index(es):
- Main
- Thread