[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


At 08:26 AM 3/1/99 +0800, you wrote:
>Dear ipsec@tis.com,
>    I am a student from China, and am interested in IPsec.
>    I have some questions:
>    o     Should the protocol algorithm be specified in SPD
>          entries?What would a SPD entry look like?
Yes! you can specify protocol algorithm in the SPD entry. SPD Entry may
look like a collection of protocol to be applied (AH/ESP), mode
(Trans/tunnel)mode, algorithm to be applied, the combination in which this
protocol is applied etc.

>   o     in the proccessing of inbound traffic,RFC2401 says:
>           4. Check whether the required IPsec processing has been
>              applied, i.e., verify that the SA's found in (1) and (2)
>              match the kind and order of SAs required by the policy
>              found in (3).
>         I wonder,what  does "the kind and order of SAs" mean?
>         does "kind" encompass the IPsec protocol, the algorithm
>         used,key length,IV mode,etc.?
 "kind" means whether the SA applied matches the the SA you find attached
to the matched inbound policy. The "order of SA" means to check whether the
order in which the SAs are specified in the Policy is same as you have
applied to the incoming packet to decrypt/deauthenticate it.

>    o     Because of the directionality of SA, does this mean
>          that the initiator of the SA setup associated with
>          the inbound connection should be the peer while
>          the outbound connection the local host or SGW?
'am sorry, can you be much clear on this! still let me try it. I think in
either directions if the host is ipsec capable you can have security upto
that, if you are protecting a non ipsec host by a SGW then SGW will take
part in the negotiatons and establishment of SAs.

>    o     If the peer ISAKMP deamon initiates the SA setup,
>          the host or SGW should check the SA against
>          corresponding SPD entry? say, the SGW x calls y
>          for setup SA, should y check whether the proposed
>          SA by x satifies the policy about the traffice
>          between x and y? if so,the ISAKMP payload should
>          carry the information to guide the responder
>          to choose which SPD entry to check the proposed SA,
>          but neither IKE nor Oakley transforms such information
>          to the peer.

You are supposed to extract the selectors from the packet and use them (by
reverting the selectors if needed) to select a matching inbound policy( in
phase 2 negotiaions if i am not wrong!)
>    o     After machine booting up,should the ISAKMP deamon
>          actively setup SAs according to local SPD, or just
>          passively waiting for the kernel IPsec module to
>          send KEY_ACQUIRE request?
Ideally it should wait for Key_acquire request.

Hope this will help !


 Rohit Aradhya
 Software Engineer
 Motorola (I) Electronics Ltd
 TSR Towers, Rajbhavan Road