[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bundle or not in negotiation
On Thu, 19 Nov 1998 18:29:50 +0200 you wrote
>
> Unfortunately, I don't know IKE well enough to understand above
> statement. My view is totally from IPSEC direction: in this case it
> needs SA pair for AH and it needs SA pair for ESP, which both it asks
> from the key management separately. Both requests contain full
> informations to set them up independently. It is up to key managemnt,
> if it wants to combine the negotiations. But, even if combined, what
> is it that AH SA negotiation needs from ESP SA negotiation or vice
> versa?
It doesn't really need anything but you have to express your wishes to
the peer as unambiguously as possible. If your wishes are "protect all
these packets with both AH and ESP" but you say "protect all these packets
with AH" and then at some later time say "protect all these packets with
ESP" the peer can two things. He can refuse your AH offer because his
policy says he needs ESP in addition to AH and you just offered AH or
he could create the AH SA and hope, perhaps in vain, for you to offer
ESP later. That's ambiguous and ripe for failure. But by offering them
together you're expressing to the peer your wishes: "I want to do these
together on this traffic".
There is a desire for some to have opportunistic encryptors who have
permiscuous policy: I'll do anything with anyone. Now if you offer AH
that box will accept that. Then you offer ESP and that box accepts that.
But you failed to specify that both AH and ESP has to be together. And
that box will probably try to send you packets, which you'll drop, protected
by AH or ESP.
Even without opportunistic encryptors there can be situations where policy
has not been configured symmetrically. I could require ESP for packets
and you require AH and ESP. If you offer ESP to me (assume the first acquire
you got was for ESP) I'll accept. If you later offer AH to me I won't.
I'll send you packets which you'll drop. To me we successfully negotiated
but you're droping my packets.
By offering policies as bundles your offer is less ambiguous and there
is less room for interpretation and therefore failure.
> > > The appliation order of IPCOM+ESP+AH is defined by the policy, which
> > > *must* specify same order on both sides.
>
> > Not according to earlier posts, which state that this issue came up
> > before.
>
> This is what I am doing, I am questioning those earlier posts, the
> reasoning behind them, because I don't see the need for such
> requirement from IPSEC point of view. There is nothing in the KERNEL
> IPSEC architecture that demands ordering or the negotiations. The
> bundle attached to the policy selector defines the order of SAs to
> apply.
The requirements are not imposed on IPSec so there is no reason to look
at this soley from an IPSec point-of-view. The requirements are on IKE:
you have to negotiate bundles together in one negotiation. You can't
argue about negotiation requirements unless you look at them from the
perspective of negotiation!
You're right. Nothing in your kernel imposes any demands on negotiation.
But you can't expect there to be no demands on negotiation because of that.
Dan.
Follow-Ups:
References: