[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking incoming traffic against SPD

To: "Stephen Kent" <kent@bbn.com>
Subject: Re: Checking incoming traffic against SPD
From: "Aaron Griggs" <agriggs@east.isi.edu>
Date: Thu, 22 Jul 1999 15:58:19 -0400
Cc: <ipsec@lists.tislabs.com>
References: <005a01bed442$4bc27dc0$634cf526@east.isi.edu><3.0.5.32.19990721180703.0104c8c0@10.1.10.20> <v04020a0cb3bcf83dab77@[128.89.0.110]>
Sender: owner-ipsec@lists.tislabs.com

> All SPDs are ordered.

I thought there was a statement in the draft before it became RFC2406
stating that the inbound SPD is not required to be ordered, which never made
sense to me.  Although looking at the RFC, I couldn't find the statement.

> Because SAs might be shared by more than one SA bundle (a complex feature
> allowed by the architecture in response to concerns voice by implementors
> and users who were concerned about creating largely duplicative SAs under
> some circumstances), there may be a need to look at multiple (inbound) SPD
> entries to  ensure that the completed processing is consistent with at
> least one of these entries.  However, I defer to Charlie Lynn, who is
> responsible for that particular piece of text.  he may be able to provide
a
> better rationale.

Can someone demonstrate sharing an SA between SA Bundles and the subsequent
processing Steve is mentioning?

Here is what I consider sharing an SA, which is essentially sharing an SP in
my implementation.

    A ------ SG ---------- <Internet> ----------- C
    B---|

A and B are hosts protected by security gateway SG.  Note my ordering is
most specific at the higher numbers.  C has the following entries in its
SPD:

Policy    Dst        Proto    Mode        SABundle    Direction
Action
10           B          AH       Trans        4                bidirectional
IPSec
9             A          ESP     Trans        4                bidirectional
IPSec
4            SG        AH        Tunnel      None          bidirectional
IPSec
1            *            *            *             None
bidirectional    Drop

This is just the way I do things.

Traffic from C to A:
    IP(C->SG)_AH_IP(C->A)_ESP_Data

Traffic from C to B:
    IP(C->SG)_AH_IP(C->B)_AH_Data

I consider policy 4 and hence the SA instantiation shared by the two
different SA Bundles.  If C just sends traffic to SG, policy 4 is used
unless I install a policy above 4.

In the case of inbound SP verification for traffic from A to C, policy
number 9 is found and it states that there should be an SA Bundle.  If there
isn't, I drop the packet.  If the SA pointed to by SP 4 is wrong, I drop the
packet.

I don't see (at least in my implementation) this as requiring multiple
inbound SP lookups to verify everything was done.  Because, you need to know
an SA Bundle is required in the first place.  You wouldn't want to keep
searching the inbound SPD until you found the correct selectors and the
right SA would you?  It could be that other implementers did something
completely different for SA Bundles.

Thanks,

Aaron

References:

Re: Checking incoming traffic against SPD

From: "Aaron Griggs" <agriggs@east.isi.edu>

Checking incoming traffic against SPD

From: fletcher@cylink.com (Fergus Fletcher)

Re: Checking incoming traffic against SPD

From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: XAUTH is broken
Next by Date: Re: Comment on xauth and hybrid
Prev by thread: Re: Checking incoming traffic against SPD
Next by thread: Re: Checking incoming traffic against SPD
Index(es):
- Main
- Thread