[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bundle or not in negotiation

To: ipsec@tis.com
Subject: RE: Bundle or not in negotiation
From: Sumit Vakil <SVakil@vpnet.com>
Date: Thu, 19 Nov 1998 09:50:10 -0800
Sender: owner-ipsec@ex.tis.com

> > Of course you don't have to do that. You can do multiple 
> negotiations
> > and be inefficient if you want. But if you do negotiate 
> things seperately
> > then what do you do with the packets that are queued up 
> after the 1st
> > negotiation is finish but before the 2nd is finished? 
> > 
> > If your plumbing can't handle a set of requirements and can 
> only dole
> > things out one at a time and your policy says "AH AND ESP 
> for traffic
> > from foo to bar with frobnitz as the peer" then you'll do 
> an AH negotiation
> > with frobnitz and then a separate ESP negotiation with 
> frobnitz. When the
> > first is finished whaddya do? Send packets with AH but not 
> ESP? Or do
> > you wait until all negotiations are finished? If the latter 
> then what's
> > the point of doing them separate. I'm missing something.
> >
> Assume i wait until all negotiations are finished. What is wrong with
> negotiating them separately, except for some slow performance 
> ? Assume the
> policy does not mandate unique SAs i.e sharing of SAs are 
> permitted, what
> is wrong in having AH and ESP SA separately ? Some other 
> connection may want
> to use just the AH SA and not the ESP SA. Some connection may 
> want use both
> of them.  Is there any reason to bundle them together ? 
> 
> -mohan
> 
> 


I think that the ISAKMP document is very clear about this.  From section 2.1

"Protection Suite: A protection suite is a list of the security services
that must be applied by various security protocols.  For example, a pro-
tection suite may consist of DES encryption in IP ESP, and keyed MD5 in IP
AH. All of the protections in a suite must be treated as a single unit.
This is necessary because security services in different security pro-
tocols can have subtle interactions, and the effects of a suite must be
analyzed and verified as a whole."
and
"Proposal: A proposal is a list, in decreasing order of preference, of the
protection suites that a system considers acceptable to protect traffic
under a given situation."

>From section 2.2

"Figure 1 is a high level view of the placement of ISAKMP within a system
context in a network architecture.  An important part of negotiating secu-
rity services is to consider the entire ``stack'' of individual SAs as a
unit.  This is referred to as a ``protection suite''."

If my security policy requires that a certain pair of phase 2 ids be
protected by both ESP and AH, I'm going to expect the peer to propose a
combination of the two.  If someone proposes only AH or only ESP for that id
pair, then that is a violation of my security policy and I'm going to reject
the offer.  Under no circumstances do I want to send or receive data between
those two ids with inadequate protection.  Besides, I have no control over
what the peer does.  Suppose that the initiator proposes only AH and the
responder accepts it.  The responder knows that ESP is also required.  At
that point, does it wait for a second exchange from the initiator?  If yes,
how long?  Or does it just start a fresh exchange with the initiator?
That's just going to make the overlapping exchanges issue more of a problem.

Sumit A. Vakil
VPNet Technologies, Inc.

Prev by Date: Re: IPv6 in the IPSec MIB
Next by Date: Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread