[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PFKEYv2 and IKEd.
I have some basic question of about concerned with PFKEYv2 and IKE.
The first, the draft-mcdonald-pf-key-v2-06.txt says,
5.1 Simple IP Security Example
Assume that no security associations currently exist for IPsec to
use. Consider when a network application begins transmitting data
(e.g. a TCP SYN). Because of policy, or the application's request,
the kernel IPsec module needs an AH security association for this
data. Since there is not one present, the following message is
generated:
Kernel->Registered: SADB_ACQUIRE for AH, addrs, ID, sens,
The KMd reads the ACQUIRE message, especially the sadb_msg_seq
number. Before it begins the negotiation, it sends down an
SADB_GETSPI message with the sadb_msg_seq number equal to the one
received in the ACQUIRE. The kernel returns the results of the
GETSPI to all listening sockets.
KMd->Kernel: SADB_GETSPI for AH, addr, SPI range
Kernel->All: SADB_GETSPI for AH, assoc, addrs
Who is this SPI for ?
I think it is strange to do SADB_GETSPI on the sender system
because the SPI must be decided by the receiver.
The next, the draft-ietf-ipsec-isakmp-oakley-08.txt says,
5.5 Phase 2 - Quick Mode
Quick Mode is essentially a SA negotiation and an exchange of nonces
that provides replay protection.
:
:
Quick Mode is defined as follows:
Initiator Responder
----------- -----------
HDR*, HASH(1), SA, Ni
[, KE ] [, IDci, IDcr ] -->
<-- HDR*, HASH(2), SA, Nr
[, KE ] [, IDci, IDcr ]
HDR*, HASH(3) -->
:
:
A single SA negotiation results in two security assocations-- one
inbound and one outbound.
I like to get the conviction.
Are two security associations negotiated by a Quick Mode
such as this figure ?
If that is right, is it possible to negotiate a single direction
of security association ? For example, the negotiation a SA for UDP packet.
The another question about the figure,
Which is the `Initiator' or `Responder' of which the packet causing
this negotiation (e.g. a TCP SYN) ?
I think there is a consistency to use both IKEd and PF_KEYv2.
Please correct me when I'm wrong.
Regards.
P.S. Thank you for your help and sorry for my bad english
==================
Shoichi Sakane