[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bundle or not in negotiation

To: "'Sumit Vakil'" <SVakil@vpnet.com>
Subject: RE: Bundle or not in negotiation
From: Richard Draves <richdr@microsoft.com>
Date: Thu, 19 Nov 1998 11:36:17 -0800
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

> If my security policy requires that a certain pair of phase 2 ids be
> protected by both ESP and AH, I'm going to expect the peer to 
> propose a
> combination of the two.  If someone proposes only AH or only 
> ESP for that id
> pair, then that is a violation of my security policy and I'm 
> going to reject
> the offer.  Under no circumstances do I want to send or 
> receive data between
> those two ids with inadequate protection.  Besides, I have no 
> control over
> what the peer does.  Suppose that the initiator proposes only 
> AH and the
> responder accepts it.  The responder knows that ESP is also 
> required.  At
> that point, does it wait for a second exchange from the 
> initiator?  If yes,
> how long?  Or does it just start a fresh exchange with the initiator?
> That's just going to make the overlapping exchanges issue 
> more of a problem.

I agree with Markku. It should be possible to negotiate separately the two
SAs in a bundle, even when both SAs have the same endpoints. Yes, you will
not send or receive data unless it is protected by both SAs, but that is
enforced separately. (For example, when receiving the data, it's the inbound
SPD verification described in section 5.2 of the IPsec architecture spec.)

Since there appear to be different opinions on this question, I think
there's serious interoperability problem lurking here.

Rich

Prev by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
Next by Date: Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread