[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Selection of proposals

To: ipsec@tis.com
Subject: RE: Selection of proposals
From: Sumit Vakil <SVakil@vpnet.com>
Date: Tue, 3 Nov 1998 08:49:21 -0800
Sender: owner-ipsec@ex.tis.com



> -----Original Message-----
> From: rohit [mailto:rohit@trinc.com]
> Sent: Tuesday, November 03, 1998 4:35 AM
> To: kent@bbn.com
> Cc: ipsec@tis.com
> Subject: Selection of proposals
> 
> 
> Hi All,
> 
> The scenario I sent in yesterday didnt give all the details and I am
> modifying it to give the exact scenario...
> 
>        If we have  SG1, SG2 and IPSec capable host H2 in the following
> scenario,
> 
> 
>    	  |--------ESPtunnel---- |
> 	  |                      |
>          SG1 ----------------- SG2 ----------- H2
>          |						|
>          |------------------AH Tunnel-----------|
> 
> 
> and the security policies are as follows.
> 
> At SG1 OutBound Policy is 
> 
>  Proposal #1:  
>           For SG2 :  ESP with 3DES
>                   or ESP with DES
>           For H2  :  AH with SHA1
>                   or AH with MD5
> 
> At SG2 we have the Inbound Policy as
>   
>   Proposal # 1 :
>             ESP with 3DES
>             or ESP with DES
> 
> H2 has the inbound policy as
>   
>   Proposal # 1:
>             AH with MD5
> 
>      
> During IKE negotiation,  SG1 sends out the SAPayload(with the two
> transforms it has) to SG2 and H2. SG2 will select Transform 
> #1 of SG1 and
> H2 will select Transform # 2 of SG1. Because of this, an SA 
> bundle that
> perfectly matches the proposal cannot be formed by SG1. 
> However, SG2 is
> capable of processing with DES and had SG2 selected this, it 
> could have
> formed an SA bundle at SG1.
> 
SG1 will run two separate IKE exchanges - one with SG2 and the other with
H2.  If it proposes [ESP (3DES or DES) and AH (SHA1 or MD5)] to SG1,
obviously the exchange is going to fail because SG2 is not configured for
AH.  If it proposes just the ESP transforms, SG2 will pick one, and a set of
inbound and outbound ESP SAs will be created between SG1 and SG2.
Similarly, a set of AH SAs will be created between SG1 and H2.  These two
sets of SAs are independent of each other.  What SG2 picks during IKE has
nothing to do with what H2 picks.  If you want to logically link the two
sets of SAs on SG1 together, that's fine.

On SG1, you'd really have:
For SG2:
	Proposal #1:
		ESP with 3DES
	or	ESP with DES

For H2:
	Proposal #1:
		AH with SHA1
	or	AH with MD5


Sumit A. Vakil
VPNet Technologies, Inc.

Prev by Date: Selection of proposals
Next by Date: No Subject
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread