[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Some questions
Hi all,
I have some questions regarding IPsec processing.
1. As stated in ISAKMP and IKE drafts, when initiator sends SA
payload containing several Proposal payloads (each of them may
contain several Transform payloads), responder MUST reply with only
one Proposal (or with some if they define a protection suit, thus
having the same Proposal number) containing only one transform. Then
initiator creates 2 SAs (outbound and inbound) using returned (and so
selected by the peer) transform and its attributes. It assumes that
both SA (in each direction) will use the same transform (e.g.
algorithm with its attributes) and will differ only in their keys. Is
this reading correct? If so, one cannot create asymmetrical SA with
ISAKMP, for example, using DES in one direction and IDEA in the
other, that might be useful under some circumstances.
2. Regarding previous question: when protection suite (e.g. sequence
of SAs) is negotiated, what should be the order of appliance of those
SAs when processing an outgoing packet? Should it be the same as the
order in which their proposals appear in the ISAKMP SA Payload? It is
very natural, but it seems that IPsec drafts doesn't state this
explicitly.
Thanks in advance,
Valery Smyslov.
Follow-Ups: