Re: Hybrid Authentication and Remote Access

[Stephen Kent <kent@bbn.com>]

Tero,

>Moshe Litvin writes:
>> > > When dealing with remote users (with no fixed IP) the server has to
>> > > remember some dynamic data to be able to do isakmp (it at least has to
>> > > know that there is a remote user at that IP, it will probably want to
>> > > know who is the user (perhaps that user is not permited to work at those
>> > > hours so there is no need to waste effort on negotiation). In some case
>> > > it will do some sort of NAT, so it will have to remember also this.
>> > That information is usually stored in the ipsec SA and the ISAKMP SA
>> > doesn't need to store that information.
>> This a strange implementation choice, you may have a lot of IPSEC SA's
>> Simultaneously, and they will change all the time. Why do you want to
>> copy all that information to every separate IPSEC SA (especially since
>> you are so concerned about resource shortage).
>
>That information must be inside the IPsec SA. It must know ip address
>of the remote node, it is not interested in who the user, and it it
>doesn't need to store that information. On the other hand isakmp
>doesn't need to store anything about the IPsec SA after it has been
>initialized and it can throw away all information about ISAKMP SA and
>IPsec SA after it has installed IPsec SA to the IPsec engine.

Well, not exactly.  The reuqirement to check packets against the selectors
for an SA do reuqire that the implementation maintain some data with each
SA.

>Note, that for example the ISAKMP SA information stored in the ISAKMP
>SA can be quite large, for example if you are using blowfish
>encryption the encryption context is 4 kB.

Maybe a good reaosn not to use that algorithm :-).


>The IPsec must store the protocol, spi, dst-addr, and algorithm
>context (esp, ah, replay). New normal isakmp negotiation can be
>started by the server by just one information the
>destionation-address, everything else will be received from the isakmp
>negotiation itself. So when the IPsec SA expires, it only needs to
>send message to isakmp module saying that it wants to have new IPsec
>SA with this destination host and the ISAKMP module will then check if
>it already has an ISAKMP SA with that host and if not it will start
main mode.

See my comments above about the additional selector data that must be
maintained in some fashion for each SA.

Steve

---

References:

• Re: Hybrid Authentication and Remote Access
• From: Moshe Litvin <moshe@checkpoint.com>
• Hybrid Authentication and Remote Access
• From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
• Re: Hybrid Authentication and Remote Access
• From: "Scott G. Kelly" <skelly@redcreek.com>
• Re: Hybrid Authentication and Remote Access
• From: moshe@checkpoint.com (Moshe Litvin)
• Re: Hybrid Authentication and Remote Access
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: Hybrid Authentication and Remote Access
• From: Moshe Litvin <moshe@checkpoint.com>
• Re: Hybrid Authentication and Remote Access
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: Hybrid Authentication and Remote Access
• From: Tero Kivinen <kivinen@ssh.fi>

---

• Prev by Date: Re: Hybrid Authentication and Remote Access
• Next by Date: Re: Patent & licence for IPSec ?
• Prev by thread: Re: Hybrid Authentication and Remote Access
• Next by thread: Re: Hybrid Authentication and Remote Access
• Index(es):
  • Main
  • Thread