[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE implementation issues
On Mon, 08 Jun 1998 17:04:56 BST you wrote
>
> 1) Processing of INBOUND Quick mode processing seems to
> have a problem.
> The SPD is searched to find an appropriate policy, but
> given the information available at the time,
> this has to be a guess, at best.
What information is missing?
> The consequences are that data packets arriving on the
> resulting INBOUND SA may need to
> search the SPD for the correct match. This is not
> optimal. What is needed is a way to
> exchange (securely) the selectors used on the initiators
> policy.
It's done in the ID payloads passed as part of the Quick Mode exchange.
> 2) Is it mandatory to respond to an Inbound SA request
> (responder) with an Outbound SA
> establishment (in a single Quick mode)? I would prefer
> not to set up the Outbound SA until
> outbound traffic presents itself. This allows me to use
> separate keys for inbound and outbound
> processes as well.
You'll have different keys if your SPIs are different (see recent post
from D. Hugh Redelmeier on this subject). But to answer your question, yes,
you have to respond with the outbound SA info complete with your SPI.
> As for question 1, if I am forced to setup an Outbound
> SA as a responder to an inbound request,
> I am likely to end up with a bad matching inbound policy
> AND a bad matching outbound policy
> (i.e. one that may never get used).
It is possible that you can set up an outbound SA that never gets used
but that doesn't mean that you get bad matching inbound and outbound
policy. If it's bad then don't accept it and don't set up any SAs.
> 3) Why does Phase1 SA (IKE SA) need to be deleted when
> pfs is selected? Since DH is used in
> Phase-2, doesn't that remove the need to trash the
> Phase1 SA?
That's only if you want PFS for the identities as well as the keys.
If you just want PFS for the phase 2 keys then you don't have to delete
the phase 1 SA.
Dan.
References: