[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PFKEYv2 and IKEd.

To: ipsec@tis.com
Subject: PFKEYv2 and IKEd.
From: Ne <sakane@parasite.yokogawa.co.jp>
Date: Fri, 24 Jul 1998 17:17:04 +0900 (JST)
Sender: owner-ipsec@ex.tis.com

I have some basic question of about concerned with PFKEYv2 and IKE.

The first, the draft-mcdonald-pf-key-v2-06.txt says,

   5.1 Simple IP Security Example
   
        Assume that no security associations currently exist for  IPsec  to
      use.   Consider  when  a network application begins transmitting data
      (e.g. a TCP SYN).  Because of policy, or the  application's  request,
      the  kernel  IPsec  module  needs an AH security association for this
      data.  Since there is not  one  present,  the  following  message  is
      generated:
   
         Kernel->Registered:  SADB_ACQUIRE for AH, addrs, ID, sens,
   
        The KMd reads the  ACQUIRE  message,  especially  the  sadb_msg_seq
      number.    Before  it  begins  the  negotiation,  it  sends  down  an
      SADB_GETSPI message with the sadb_msg_seq number  equal  to  the  one
      received  in  the  ACQUIRE.   The  kernel  returns the results of the
      GETSPI to all listening sockets.
   
         KMd->Kernel:         SADB_GETSPI for AH, addr, SPI range
         Kernel->All:         SADB_GETSPI for AH, assoc, addrs
   
Who is this SPI for ?
I think it is strange to do SADB_GETSPI on the sender system
because the SPI must be decided by the receiver.

The next, the draft-ietf-ipsec-isakmp-oakley-08.txt says,

   5.5 Phase 2 - Quick Mode
   
      Quick Mode is essentially a SA negotiation and an exchange of nonces
      that provides replay protection.
         :
         :
      Quick Mode is defined as follows:
   
           Initiator                        Responder
          -----------                      -----------
           HDR*, HASH(1), SA, Ni
             [, KE ] [, IDci, IDcr ] -->
                                     <--    HDR*, HASH(2), SA, Nr
                                                  [, KE ] [, IDci, IDcr ]
           HDR*, HASH(3)             -->
         :
         :
      A single SA negotiation results in two security assocations-- one
      inbound and one outbound.

I like to get the conviction.
Are two security associations negotiated by a Quick Mode
such as this figure ?
If that is right, is it possible to negotiate a single direction
of security association ?  For example, the negotiation a SA for UDP packet.

The another question about the figure,
Which is the `Initiator' or `Responder' of which the packet causing
this negotiation (e.g. a TCP SYN) ?

I think there is a consistency to use both IKEd and PF_KEYv2.

Please correct me when I'm wrong.

Regards.
==================
  Shoichi Sakane

Prev by Date: Re: Target date and implementation ?
Next by Date: RE: ESP and AH used in tunnel mode by a Security Gateway
Prev by thread: PFKEYv2 and IKEd.
Next by thread: Examples?
Index(es):
- Main
- Thread