[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
independent SAs linking
Hi Sumit
from:draft-ietf-ipsec-arch-sec-05.txt (page 27)
Case 4. This covers the situation where a remote host (H1)
uses the Internet to reach an organization's firewall (SG2)
and to then gain access to some server or other machine(H2).
The remote host could be a mobile host (H1) dialing up to a
local PPP/ARA server (not shown) on the Internet and then
crossing the Internet to the home organization's firewall(SG2),
etc. The details of support for this case, (how H1 locates SG2,
authenticates it, and verifies its authorization to represent
H2) are discussed in Section 4.6.3, "Locating a Security
Gateway".
======================================================
| |
|============================== |
|| | |
|| ---|----------------------|---
|| | | | |
H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
^ | Intranet) |
| ------------------------------
could be dialup admin. boundary (optional)
to PPP/ARA server
Only tunnel mode is required between H1 and SG2. So the
choices for the SA between H1 and SG2 would be one of the
ones in case2. The choices for the SA between H1 and H2
would be one of the ones in case 1.
Note that in this case, the sender MUST apply the transport
header before the tunnel header. Therefore the management
interface to the IPsec implementation MUST support configu-
-ration of the SPD and SAD to ensure this ordering of IPsec
header application.
As noted above, support for additional combinations of AH
and ESP is optional. Use of other, optional combinations
may adversely affect interoperability.
*****I need some clarification at these points*****
Let us assume that from H1 to SG2 we have ESP in tunnel mode
and from H1 to H2 we have AH in transport mode.
1) How do we negotiate SA's ?
Suppose H1 starts negotiation then it will end up in creating
two SA's, one from H1 to SG2 and another from H1 to H2. In such
case since the proposal are sent from the same SPD entry both
the SA's negotiated will form a single bundle on H1's SPD.
ButSG2 and H2 will have only one SA created on their end. So
when the packet is sent out from H1 both the SA's will be app-
-lied, and correspondingly SG2 will decrypt and then it will be
passed to H2 that is our final destination.
The matching SPD entry in H1 would have two protocols to be
applied out of which one is to SG2 and the other is to H2.
But ...when H2 initiates SA negotioation for the above case.
H2 has an SPD entry that says that AH has to be applied in
transport mode.This creates the ISAKMP SA between H1 and H2
and then the AH SA. H2 applies it and sends it out.
Now, this comes to SG2 which now negotiates the ESP SA in
tunnel mode with H1. Since these SAs form independently and
match the same SPD entry (will they?) in H1, how are these
linked together to be a single SA bundle for any data that
will be sent out from H1? If these are independent SAs linked
to the outbound SPD entry, we will have to search through the
list of bundles looking for those that match and applying them
in the sequence that is determined by the policy. But, this is
not how IPSEC architecture outlines the processing of a datagram.
So, what does happen in this case? How do we link two SAs that are
negotiated independently together?
-thanks
-ramana
* Ramana Yarlagadda
* Rendezvous On Chip Pvt Ltd.
* NewVasaviNagar, Kharkhana,
* SECUNDERABAD - 500015.
* INDIA
* Tele Phone : (040) 7742606, 7740406
* Email : ramana@trinc.com
* http://www.trinc.com
******************************************************************