[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SA bundles, multiple tunnels?

To: ipsec@tis.com
Subject: SA bundles, multiple tunnels?
From: Ari Huttunen <Ari.Huttunen@lmf.ericsson.se>
Date: Tue, 01 Dec 1998 22:38:38 +0200
Organization: Oy L M Ericsson Ab
Sender: owner-ipsec@ex.tis.com

Hi folks,

I'm currently involved in IPSec implementation, and
I have a couple of specific questions. I've read the
architecture draft several times by now, but it didn't
seem to give me definitive answers.

Question 1:

Can one SA be a part of more than one SA bundle?

Question 2:

<-------SA1---------------->
          <-------SA2------>
[IP1][AH][IP2][AH][IP3][TCP]

Assume that I have two tunnel mode AH SAs. Both
of these SAs terminate at the current router. I further
define for both SAs a selector for "Transport Layer
Protocol". What should they match? Will the selector 
for SA1 match "IP" or will it go further down the
headers all the way to "TCP"?

Question 3:

<-------SA--------->
[IP1][ESP][IP2][TCP]

This is a sort of stupid question. Assume that I have 
one ESP SA terminating at the current router. Here a
selector for transport layer protocol is also defined
for this SA. Should the behaviour be to

a) First match the selector, producing OPAQUE, since
   the inner packet is still encrypted. Or

b) First decrypt the packet, and only then match 
   the selector, which now succeeds fine.

Only b) seems sane, but the architecture RFC section
5.2.1 only says 
   "Use the SA found in (1) to do the IPsec processing, e.g.,
    authenticate and decrypt.  This step includes matching the
    packet's (Inner Header if tunneled) selectors to the
    selectors in the SA."
This could mean either behaviour.

Question 4:

What sort of policy filtering does IPSec intend to define
for throughgoing IPSec traffic? 

This is related to the previous question, since if a) 
is the intended behaviour, the following sentence at 
section 4.4.2 makes a whole lot more sense.
"NOTE: To locate the transport protocol, a system has to chain
       through the packet headers checking the "Protocol" or "Next
       Header" field until it encounters either one it recognizes as a
       transport protocol, or until it reaches one that isn't on its
       list of extension headers, or until it encounters an ESP header
       that renders the transport protocol opaque."
Thus for throughgoing traffic, which can't be authenticated
or decrypted, the selector in the policy database would 
go inside the protected packet.

Thanks,

Ari Huttunen

begin:vcard 
n:Huttunen;Ari
tel;fax:+358-9-2992634
tel;work:+358-9-2992472
x-mozilla-html:FALSE
org:L M Ericsson;LMF/T/TK
version:2.1
email;internet:Ari.Huttunen@lmf.ericsson.se
title:Software Designer
adr;quoted-printable:;;Oy L M Ericsson Ab=0D=0ATelecom R&D;;;02420 Jorvas;Finland
x-mozilla-cpt:;-30024
fn:Ari Huttunen
end:vcard

Follow-Ups:

Re: SA bundles, multiple tunnels?

From: rohit <rohit@trinc.com>

Prev by Date: Some possible discussion items on "PKI Requirements"
Next by Date: Re: Use IPSEC as SSH replacement
Prev by thread: Some possible discussion items on "PKI Requirements"
Next by thread: Re: SA bundles, multiple tunnels?
Index(es):
- Main
- Thread