[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

To: "'ipsec@tis.com'" <ipsec@tis.com>
From: Sankar Ramamoorthi <Sankar@vpnet.com>
Date: Tue, 19 Jan 1999 11:43:16 -0800
Sender: owner-ipsec@ex.tis.com


Hi,

I ran into an interoperability situation between 2 ipsec implementations
when the
customer tried to set up 2 networks behind a security gateway as part of the
same vpn.

network1 -----
                    |
                   SG1----x             x--SG2--- peer network
                    |
networks -----

In the first implementation (SG1)
    The security gateway uses the same ipsec SA to send traffic from both
networks
    since data originating from both the networks are part of the same VPN
and hence 
    there is no point creating another SA with the same crypto parameters.
The security 
    gateway applies the same logic on inbound traffic also and accepts
packets on an 
    ipsec SA as long as the ip addresses match local policy.

In the second implementation (SG2)
    The implemenation is more stringent and tries to constrict the packets 
    accepted on an SA to exactly match the addresses negotiated for that SA.
The drawback of this
    approach seems to that when one want to protect more than one network as
part of the
    same VPN (policy) you have to create 1 SA per network. The same problem
exists
    when you want hosts from more than one network to be part of the same
VPN (policy).
    You incur the cost of creating multiple SAs.
 
    Both SG1 and SG2 agree on local policy. However SG1 creates only one SA
where as
    SG2 expects multiple SAs to be created. SG2 requires ip addresses of
decrypted packets
    on SA to match the negotiated addresses. This forces SG1 to create
multiple SAs. SG1 also
    verifies the addresses of decrypted packets but they are accepted as
long as the match
    the local policy.
    
   Should the address checking be local policy based or based on negotiated
addresses?
   The additional SAs share the same crypto parameters and hence seem
reduntant.
    
    I reviewed the archives. There were previous discussions on this topic
but never any
    definite conclusion. The RFCs does not take a position one way or other.

    I am willing to go either way but would like to know the most
interoperable approach.
    My preferance is to avoid creating multiple SAs in this scenario unless
there is a defnite
    security advantage/reason for constricting ipsec SAs created for the
same VPN (policy).

    Thanks for any comments.

    -- sankar (sankar@vpnet.com) --

Follow-Ups:

Re: No Subject

From: Joern Sierwald <joern.sierwald@datafellows.com>

Re:

From: "Sumit A. Vakil" <svakil@internetdevices.com>

Prev by Date: Elliptic curves in IPSec [revisited]
Next by Date: Re: No Subject
Prev by thread: Elliptic curves in IPSec [revisited]
Next by thread: Re: No Subject
Index(es):
- Main
- Thread