[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Dear ipsec@tis.com,
    I am a student from China, and am interested in IPsec.
    I have some questions:
    o     Should the protocol algorithm be specified in SPD
          entries?What would a SPD entry look like?
   o     in the proccessing of inbound traffic,RFC2401 says:

           4. Check whether the required IPsec processing has been
              applied, i.e., verify that the SA's found in (1) and (2)
              match the kind and order of SAs required by the policy
              found in (3).

         I wonder,what  does "the kind and order of SAs" mean?
         does "kind" encompass the IPsec protocol, the algorithm
         used,key length,IV mode,etc.?

    o     Because of the directionality of SA, does this mean
          that the initiator of the SA setup associated with
          the inbound connection should be the peer while
          the outbound connection the local host or SGW?
    o     If the peer ISAKMP deamon initiates the SA setup,
          the host or SGW should check the SA against
          corresponding SPD entry? say, the SGW x calls y
          for setup SA, should y check whether the proposed
          SA by x satifies the policy about the traffice
          between x and y? if so,the ISAKMP payload should
          carry the information to guide the responder
          to choose which SPD entry to check the proposed SA,
          but neither IKE nor Oakley transforms such information
          to the peer.
    o     After machine booting up,should the ISAKMP deamon
          actively setup SAs according to local SPD, or just
          passively waiting for the kernel IPsec module to
          send KEY_ACQUIRE request?


    Wang Huaibo