Re: Q about SA bundles

[Markku Savela <msa@anise.tte.vtt.fi>]

> From: Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM>
> Last time this was discussed, somebody replied 
> "While you are negotiating AH IPSEC SA, and the other end's policy
>  requirement is ESP + AH, how does the other end know you will
>  negotiate ESP after negotiating AH i.e should the other side
>  accept the negotiation assuming you will negotiate ESP in
>  a short while or reject assuming that you are not negotiating
>  ESP " ?

A short answer:

	While negotiating AH IPSEC SA, the responder site doesn't need
	to know or care whether it is associated with a AH+ESP bundle
	or not.

Longer answer:

                 H1                                H2
    ------------------------               ------------------ 
(0) IP:H1->H2 ->SA0 -> SA1 ==================> SA1
     \                  ^                       ^
      \                 |                       |
       \                |                       |
(1) ACQUIRE SA: H1->H2  |  <-- Key Mgmnt -->    |
         \              |
          ------------------------------> (2) GETSPI: dst=H2
                        |                     UPDATE SA: dst=H2
                        |                          /
                                                  /
          (3) ADD SA: dst=H2 <--------------------


The initiator (H1) only has the PFKEY ACQUIRE information to go with,
and it simply includes a list of algorithms from which to choose (the
other information is address and identity)

Thus assume, a policy saying

	dst=H2 => AH(md5, sha1, foo), ESP(3des, idea, blowfish, md5)

then, the ACQUIRE for AH contains combinations
	1) md5
	2) sha1
	3) foo
all of these supported by the initiator side. This list is passed to
the responder (H2).

The responder host only supports md5 and sha1 (known to the key
management from the reply of the PFKEY REGISTER message).

	My claim and goal is: The responder side of the negotiation
	does not need to care about the policy.

It only selects the SPI and chooses the algorithm from the proposed
list (md5, sha1, foo), and as it only knows the first two, it can pick
either one, say sha1. It creates the end point SA and reports back to
the initiator the SA attributes, so that it can create the starting
point of the SA.

The ESP is handled exactly the same way, independently. and ending
with, for example, (3des,md5) for ESP. With SAs set

   SA1 (AH: sha1) --------------------> SA1 (AH: sha1)
   SA2 (ESP: 3des,md5) ----------------> SA2 (ESP: 3des,md5)

H1 is finally able to send a packet to the H2. H2 receives the packet
and successfully applies SA1 and SA2 to this. And, only *after* this
it needs to be checked whether the policy is matched. For example
 
	src=H1 => AH(md5, sha1, foo), ESP(3des, idea, blowfish, md5)

Looking for a matching SA for AH(md5, sha1, foo) and packet, it should
return SA1, and for ESP(3des, idea, blowfish, md5) it should return
SA2. If this happens, the policy condition is filled and packet
passes, and otherwise not.

	[I admit that the above matching part is somewhat untraversed
	territory for me, as my policy defition doesn't (yet) have
	alternatives for the algorithm, policy just says use one or
	don't communicate. With multiple choices of algorithms, the
	search may(?) result with one SA per algorithm, and my guess
	is that if the applied SA is included in such result, the
	policy passes.]

My key premise here is still: policies on both ends must be same.

Note also, that I have included 'foo' in the policy of H2, even though
it does not support it. The idea is that, if the support for 'foo' is
added to the kernel IPSEC, then it becomes automatically available for
the negotiations. This allows gradual deployment of new algorithms.

                 ********************************

SOME OTHER COMMENTS:

 - assuming policy with bundle ESP+AH, there is nothing in PFKEY
   ACQUIRE (unless I missed something), that would tell the key
   management that these two ACQUIREs are actually from the same
   bundle. [And I think this is a good thing ]

 - with all this, I am only trying cut down the implementation work
   into manageable pieces, most important being the ability to
   describe the pieces of IPSEC in exact manner. These descriptions
   can be used to decide which implementation is correct, when
   problems surface.

 - there are many fuzzy areas, for example, how do ACQUIRE information
   and the resulting SA information relate to each other, specifically
   things like SRC_ADDRESS, PROXY_ADDRESS, IDENTITY etc. How much
   freedom the keymanagement really has? For example, my current
   implementation

	  if ACQUIRE has exlicit SRC_ADDRESS, and the resulting ADD SA
	  does not include the same source address extension, then my
	  SA locating does not find the SA. And vice versa, if ACQUIRE
	  does not have the SRC address, it should not be present in
	  the SA either (IADDR_ANY). [The presence of SRC and other
	  things in ACQUIRE is mostly controlled by the policy
	  definition, which is very delicately involved in the SA
	  locating, as can be deduced from my descriptions... ]

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

---

Follow-Ups:

• Re: Q about SA bundles
• From: Daniel Harkins <dharkins@cisco.com>

References:

• Re: Q about SA bundles
• From: Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.Com>

---

• Prev by Date: IPsec implementations sought
• Next by Date: update -- next testing event
• Prev by thread: Re: Q about SA bundles
• Next by thread: Re: Q about SA bundles
• Index(es):
  • Main
  • Thread