Re: arch-07 and protocol mode stored in SAD? Why?

[Dan McDonald <danmcd@Eng.Sun.Com>]

> "IPsec protocol mode", and I am wondering why?
> 
> 1) There is no way to set this field from PFKEY, as far as I can see
>    (unless one takes a hint from presence of a PROXY_ADDRESS
>    extension, but even then it would leave open how to choose between
>    "wildcard" and "transport")

Another way to see is on the SADB_ACQUIRE message, what the
sadb_address_proto field is set to.  If it's set to IPPROTO_IP or
IPPROTO_IPV6, then you can safely assume it's tunnel.

I have NEVER understood why people are so anal about tunnel vs. transport.
One is a case of the other, IMHO.

> But anyway, it would seem that the description of the
> tunnel/wildcard/transport mode would not belong to SAD, but into SPD and
> bundles.

I agree!

> eg... for each bundle
> 
> Step. 1. Apply general tunnel (IPIP) to packet (if the bundle
> 	specifies a tunnel, e.g. my policy tells when to tunnel or
> 	not, SA knows nothing about it)
> 
> Step. 2. Apply ESP or AH to packet (these don't care what the
> 	next protocol is, work equally well with IPIP and any other
> 	protocols) 

I believe you'll find more than a few implementations that do things this
way.

Dan

---

Follow-Ups:

• Re: arch-07 and protocol mode stored in SAD? Why?
• From: Stephen Kent <kent@bbn.com>

References:

• arch-07 and protocol mode stored in SAD? Why?
• From: Markku Savela <msa@anise.tte.vtt.fi>

---

• Prev by Date: IKE autoresponder update to freecerts.entrust.com
• Next by Date: comments on VPN framework document
• Prev by thread: arch-07 and protocol mode stored in SAD? Why?
• Next by thread: Re: arch-07 and protocol mode stored in SAD? Why?
• Index(es):
  • Main
  • Thread