[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bundle or not in negotiation

To: ipsec@tis.com
Subject: RE: Bundle or not in negotiation
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Thu, 19 Nov 1998 18:29:50 +0200 (EET)
In-reply-to: <319A1C5F94C8D11192DE00805FBBADDF595540@exchange> (message from Tim Jenkins on Wed, 18 Nov 1998 13:54:43 -0500)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@ex.tis.com

The reason I pursue this, is not to create a flame war, but to press
for a simple standard. To me these ordering and bunching requirements
appear to make things more restrictive and complex than is required by
the IPSEC architecture. It appears that some solutions made by some
implementations are changing the standard (not necessarily bad, if
changes are really needed, but at this point I am not yet convinced).

Concerning ESP+AH negotiation as a bunch or independently...

> Yes, they can. Nothing I said above intends to preclude that. But if
> you do that, you'll create two *separate* tunnels: 1 with ESP and AH.
> The SAs that create those tunnels will have been negotiated with
> separate SA payloads, probably in separate quick modes.

There is something fundamental difference in our view of this. I don't
see any tunnels appearing whether SA's are negotiated separately or
together. Whether a tunnel is used or not, is totally independent
(policy) decision, as shown in my previous emails with subject
"Bundles, policies, tunneling, ordering etc..."

> The specific case I was referring to, and the implicit (I need to make
> this explicit) assumption being made, is that the services are being
> negotiated within the same SA payload, and each service is a
> proposal with the same proposal number.

Unfortunately, I don't know IKE well enough to understand above
statement. My view is totally from IPSEC direction: in this case it
needs SA pair for AH and it needs SA pair for ESP, which both it asks
from the key management separately. Both requests contain full
informations to set them up independently. It is up to key managemnt,
if it wants to combine the negotiations. But, even if combined, what
is it that AH SA negotiation needs from ESP SA negotiation or vice
versa?

> > The appliation order of IPCOM+ESP+AH is defined by the policy, which
> > *must* specify same order on both sides.

> Not according to earlier posts, which state that this issue came up
> before.

This is what I am doing, I am questioning those earlier posts, the
reasoning behind them, because I don't see the need for such
requirement from IPSEC point of view. There is nothing in the KERNEL
IPSEC architecture that demands ordering or the negotiations. The
bundle attached to the policy selector defines the order of SAs to
apply.

Follow-Ups:

Re: Bundle or not in negotiation

From: Daniel Harkins <dharkins@dharkins-ss20.cisco.com>

References:

RE: Bundle or not in negotiation

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: IPv6 in the IPSec MIB
Next by Date: Re: Bundle or not in negotiation
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread