[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
I am a student from China, and am interested in IPsec.
I have some questions:
o Should the protocol algorithm be specified in SPD
entries?What would a SPD entry look like?
o in the proccessing of inbound traffic,RFC2401 says:
4. Check whether the required IPsec processing has been
applied, i.e., verify that the SA's found in (1) and (2)
match the kind and order of SAs required by the policy
found in (3).
I wonder,what does "the kind and order of SAs" mean?
does "kind" encompass the IPsec protocol, the algorithm
used,key length,IV mode,etc.?
o Because of the directionality of SA, does this mean
that the initiator of the SA setup associated with
the inbound connection should be the peer while
the outbound connection the local host or SGW?
o If the peer ISAKMP deamon initiates the SA setup,
the host or SGW should check the SA against
corresponding SPD entry? say, the SGW x calls y
for setup SA, should y check whether the proposed
SA by x satifies the policy about the traffice
between x and y? if so,the ISAKMP payload should
carry the information to guide the responder
to choose which SPD entry to check the proposed SA,
but neither IKE nor Oakley transforms such information
to the peer.
o After machine booting up,should the ISAKMP deamon
actively setup SAs according to local SPD, or just
passively waiting for the kernel IPsec module to
send KEY_ACQUIRE request?
THANKS & REGARDS
- Re: HELP
- From: Rohit <firstname.lastname@example.org>