[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IBM VPN Bakeoff Issues

To: tjenkins@TimeStep.com
Subject: Re: IBM VPN Bakeoff Issues
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Thu, 5 Nov 1998 11:08:51 +0200 (EET)
CC: ipsec@tis.com
In-reply-to: <319A1C5F94C8D11192DE00805FBBADDF4F7D00@exchange> (message from Tim Jenkins on Wed, 4 Nov 1998 14:07:46 -0500)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@ex.tis.com

> From: Tim Jenkins <tjenkins@TimeStep.com>
> 
> In response to some of the list of issues and questions raised at the IBM
> VPN interoperability workshop:
> 
> > 9. Should the order of protocols dictate the order of security
> > association or should AH, ESP, IPComp always be processed in a
> > certain order?  Most vendors agreed with the latter
> 
> If we consider that a fixed order is assumed, and that we will never support
> ESP and ESP, there are only 4 kinds of bundles possible: IPCOMP+ESP,
> IPCOMP+AH, ESP+AH, and IPCOMP+ESP+AH.

Looking at this from the pont of view of implemenor of a basic IPSEC +
PFKEY in the kernel, I am perhaps a bit confused again: my
understanding of the IPSEC architecture was

 for outgoing
	from policy selector -> SA bundle (list of SA's), apply them
	in whatever order the bundle lists.

 for incoming,
	apply SA's from the packet, remember the order, and after all
	done find the matching policy entry and check that the order
	applied matches the order in bundle.

The order is an immutable policy decision between communicating
partners, at least by reading the current IPSEC drafts. What is the
problem? Can't IKE should just negotiate SAs?

It looks once again that IKE/ISAMKP are trying to negotiate things
that need to modify the policy. It may be that the current IPSEC is
deficient in this respect for real use, and some negotiation of the
policy aspects is also required. But I wold prefer to see a some
separation of those parts that negotiate individual SA and those that
negotiate policy affecting things (order of SAs). And, we might need a
PF_KEY like interface to communicate the policy changes to the kernel?

Perhaps, a solution is that the Key management daemon reads the same
policy configuration as the kernel IPSEC is using? Then, the key
management at least knows what order is configured in?

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

References:

Re: IBM VPN Bakeoff Issues

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: Re: Selection of proposals
Next by Date: RE: IBM VPN Bakeoff Issues
Prev by thread: Re: IBM VPN Bakeoff Issues
Next by thread: Re: IBM VPN Bakeoff Issues
Index(es):
- Main
- Thread