[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New IPSec Monitoring MIB draft

To: Tim Jenkins <tjenkins@TimeStep.com>
Subject: RE: New IPSec Monitoring MIB draft
From: Tero Kivinen <kivinen@ssh.fi>
Date: Fri, 29 Jan 1999 20:37:42 +0200 (EET)
Cc: "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDF77571B@exchange>
Organization: SSH Communications Security Oy
References: <319A1C5F94C8D11192DE00805FBBADDF77571B@exchange>
Sender: owner-ipsec@ex.tis.com

Tim Jenkins writes:
> > There doesn't seem to be any way to identify what ISAKMP SA (phase 1)
> > was used to create IPSec SA (phase 2). There is no index from the
> > IpsecProtSuiteEntry to the IpsecIkeSaEntry. I think there should be a
> > way to find the Phase 1 SA based on the Phase 2 SA, so users can find
> > for example the certificate and the identities used to create that
> > IPSec SA. 
> Not directly. The reason for that is that phase 2 lifetimes are independent
> of phase 1 lifetimes. If the phase 1 SA that created a particular phase 2 SA
> expires before the phase 2 SA, where do you point the phase 2 SA?

Either keep the old index number (which cannot be reused as long the
phase 2 SA is valid), or change it to some special number, meaning
that phase 2 SA doesn't not have phase 1 SA. 

> The indirect way is to take the 'ipsecProtSuiteLocalAddress' and
> 'ipsecProtSuiteRemoteAddress' values from the protection suite entry of
> interest, and do a search in the 'ipsecIkeSaTable' using the values
> 'ipsecIkeSaLocalIpAddress' and 'ipsecIkeSaPeerIpAddress', since that's where
> the protection suite pairs (inbound and outbound) go to and come from.

And then you can find several phase 1 SA entries having the same local
and peer addresses, but having different certificates (and users). In
multiuser environment you really need to keep the connection between
phase 1 and phase 2 SAs if you want to have any kind of user based
authentication. 

> > >       ipsecProtSuiteTimeLimit         OCTET STRING, -- 
> > Why octet string. I know that those can be variable length, but I
> > think Counter64 or similar is enough for them. 
> The main reason was to make it the same as the attribute used. You make a
> good point below about the size, though, if it is a basic attribute format.

I think the MIBs in general are hard enough, without us adding special
encodings of the integers from the another document. I think we should
use the MIB way of representing integer numbers, even if we then limit
ourselves to 64-bit numbers :-)
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

RE: New IPSec Monitoring MIB draft

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: RE: SSL v IPSEC for management?
Next by Date: Re: transport-friendly ESP
Prev by thread: RE: New IPSec Monitoring MIB draft
Next by thread: RE: New IPSec Monitoring MIB draft
Index(es):
- Main
- Thread