[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IBM VPN Bakeoff Issues
> We should conceptually think of bundles as a single SA that provides
multiple services. This means that all three services
> expire at the same time and are re-keyed at the same time. Further, when
being negotiated, they all functionally use the same
> encapsulation (even though implementations may consider the outer headers
as always being in transport mode). This means that > a gateway always
offers tunnel mode for all three services, since the bundle as a whole is in
tunnel mode.
Yes, a point that was not raised at the workshop. We did a test with AH+ESP
in tunnel mode. We took this to mean AH+ESP adjacent with a shared tunnel
header. The other vendor took this to mean IP1+AH+IP2+ESP+IP3. There was
some agreement that a proposal that offered AH-tunnel AND ESP-tunnel should
mean a shared tunnel-header, but maybe we need more text somewhere.
We have made our code more flexible so that it will cope with this case in
future provided IP1 and IP2 are the same (and AH and ESP are both present),
we will process this other variant the same way.
> Therefore, for the current version version of IPSec, make the following
statements:
> 1) The order of application of services, from inner header to outer, MUST
be IPCOMP, ESP and AH when more than one
> service is present.
> 2) The encapsulation mode of all services offered MUST match that
encapsulation mode of the bundle as a whole.
> 3) The order of the services in the ANDed offer is not required to be any
particular order. Responders may change the
>order when selecting the bundle.
> 4) The entire bundle expires when any one of the services within the
bundle expires.
[[SW]] and IPCOMP MUST be accompanied by a security protocol.
Follow-Ups: