Re: Some questions

[Daniel Harkins <dharkins@cisco.com>]

  Privyet Valery,

> 1. As stated in ISAKMP and IKE drafts, when initiator sends SA 
> payload containing several Proposal payloads (each of them may 
> contain several Transform payloads), responder MUST reply with only 
> one Proposal (or with some if they define a protection suit, thus 
> having the same Proposal number) containing only one transform. Then 
> initiator creates 2 SAs (outbound and inbound) using returned (and so 
> selected by the peer) transform and its attributes. It assumes that 
> both SA (in each direction) will use the same transform (e.g. 
> algorithm with its attributes) and will differ only in their keys. Is 
> this reading correct? If so, one cannot create asymmetrical SA with 
> ISAKMP, for example, using DES in one direction and IDEA in the 
> other, that might be useful under some circumstances.

Yes, that's right, they must use the same transform. Under what situations
would you want to have asymmetrical SAs?

> 2. Regarding previous question: when protection suite (e.g. sequence 
> of SAs) is negotiated, what should be the order of appliance of those 
> SAs when processing an outgoing packet? Should it be the same as the 
> order in which their proposals appear in the ISAKMP SA Payload? It is 
> very natural, but it seems that IPsec drafts doesn't state this 
> explicitly.

For situations where you negotiate AH and ESP you apply ESP first.
Applying multiple AH or multiple ESP transforms to a single packet is not 
defined.

  Dan.

---

Follow-Ups:

• Re: Some questions
• From: Lewis McCarthy <lmccarth@cs.umass.edu>
• Re: Some questions
• From: "Valery Smyslov" <svan@elvis.ru>

References:

• Some questions
• From: "Valery Smyslov" <svan@elvis.ru>

---

• Prev by Date: RE: isakmp sa attributes
• Next by Date: Some questions
• Next by thread: RE: [Karen Seo: Thomas Narten -- clarification, etc.]
• Index(es):
  • Main
  • Thread