[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
arch-07 and protocol mode stored in SAD? Why?
In draft-ietf-ipsec-arch-sec-07, "4.4.3 Security Association Database
(SAD)" (page 24), in the list of required SAD fields, there is this
"IPsec protocol mode", and I am wondering why?
1) There is no way to set this field from PFKEY, as far as I can see
(unless one takes a hint from presence of a PROXY_ADDRESS
extension, but even then it would leave open how to choose between
"wildcard" and "transport")
2) in my "legacy implementation", the tunneling controlled by the
policy definion, and this seems to be quite working solution.
Again, one of the issues where Policy and SAD are getting
mixed/confused?
But anyway, it would seem that the description of the
tunnel/wildcard/transport mode would not belong to SAD, but into SPD
and bundles.
On conformance, I doubt there is any way to detect from outside,
whether I implement this on SAD, or in SPD.
Now, looking at all the description about how to do tunneling, I am
starting to wonder whether I do it right, when I do it simple and
totally independent of the ESP or AH, eg... for each bundle
Step. 1. Apply general tunnel (IPIP) to packet (if the bundle
specifies a tunnel, e.g. my policy tells when to tunnel or
not, SA knows nothing about it)
Step. 2. Apply ESP or AH to packet (these don't care what the
next protocol is, work equally well with IPIP and any other
protocols)
--
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
Follow-Ups: