[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Automatic SPD Entry Creation for Remote Access IPSEC Clients



Ben,

>For example, please assume my inbound SPD states all UDP port 1701
>(L2TP) traffic from _ANY_ address must be encrypted using Transport
>mode ESP(3DES-SHA). Also assume that SPD entry requires SAD element
>derivation (creation) using the addresses, ports, etc from the packet.
>(This derivation mechanism is discussed on pages 14-15 of RFC 2401).
>
>As multiple remote peers establish SA's, each of their SAD entries
>is created using their source IP address as defined by the IKE
>phase 2 identity. (I'm getting fuzzy here so please correct me if
>I'm wrong on this). All of those SAD entries are bound to the
>single SPD which contained the _ANY_ source address wildcard value.
>
>Is this an acceptable alternative to dynamically creating SPD
>entries?
>
>
>Perhaps I can answer my own question. The specific packet that triggered
>the SA creation is not known in the _responding_ system therefore
>there is insufficient information to create the SAD element. That is
>why you recommended waiting until the first IPSEC packet arrives and then
>creating the SPD entry from that.
>
>Could you create the SAD entry and bind it to the wildcard source
>address SPD entry instead?

My example for the need for dynamic SPD entry creation is actually quite
different, though I don't disagree with the other answer you received.
Note that an SPD entry may contain an identifier of the form of a name,
e.g., a DNS name, DN, etc., rather than an address.  Thus, for example, one
might have SPD entries for road warriors based on user names, e.g., RFC 822
names or DNs, (since the user might employ different laptops or because the
laptopn might have a dynamically assigned address, etc.)

But, packets don't contain names, and an SG will see the user name only
when the SA is negotiated; on a steady state basis, the SG will see only
the addresses of the source and destination. So, when an SA is negotiated
with a user of this sort, one needs to create temporary inbound and
outbound SPD entries that instantiate the address for the laptop for the
duration of of this SA, to represent the user's authorization for this SA.

Steve


References: