[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA selectors

To: "Michael Boehmer" <mboehmer@bintec.de>
Subject: Re: SA selectors
From: "Aaron Griggs" <agriggs@east.isi.edu>
Date: Thu, 19 Aug 1999 10:16:29 -0400
Cc: <ipsec@lists.tislabs.com>
References: <37BBF5F6.38C50A59@bintec.de>
Sender: owner-ipsec@lists.tislabs.com

> Hello!
>
> I have a question concerning the SA selectors:
>
> RFC 2401 requires support for the following SA selectors:
> - single source/dest address
> - source/dest address range
> - source/dest subnet with netmask
> - wildcard for source/dest address
>
> Does anyone support an SA to have multiple of these selector values at
> the same time?

By multiple do you mean the source address could be say wildcard while the
destination address could be a subnet?  The answer is yes.  The SA entry is
an instantiation of the SP entry.  Or at least, that is how I view it.  I
show an example below.

>
> This is mainly a configuration issue:
> consider a huge corporate network and a policy affording the traffic of
> some selected machines to be protected with ipsec when traversing the
> internet to some remote site, protected by a security gateway.
> This would result in as many entries in the SAD as there are machines
> which must be protected. It would be much easier to configure
> -especially with manual keying- and much easier to monitor, if this
> setup would result in only one SA (which defines the same security
> parameters for all machines).
>
> All comments appreciated!
>
I assume SG1 for corporate network 1 and SG2 for corporate network 2.

    <Many hosts in CorpNet1> ------- <SG1> -------- <Interntet> --------
<SG2> -------- <Many hosts in CorpNet2>

So, you want SG1 to have say one policy and one SA to protect many hosts
sending traffic over the Internet to hosts behind SG2, right?  To do this,
SG1 has the following:

Security Policy on SG1:
PolicyNum    RmtAddr                                LclAddr
OtherSelectors    InSA  OutSA  Direction
5                  CorpNet2(policy)                     *(policy)
*  *  *                  9        8         BIDIRECT

Security Assoc on SG1:
SA Num        SADestAddr    DestAddr    LclAddr    OtherSelectors
Direction
9                   SG1               POLICY      POLICY    POLICY
INBOUND
8                   SG2               POLICY      POLICY    POLICY
OUTBOUND

I probably should explain the SP and SAs I show.  The SP entry says for
traffic originating from any hosts to corporate network 2 use this policy.
Since "Direction" is bidirectional, the opposite is also true.  That is, for
traffic from SG2 to any host use this policy.  The "RmtAddr" selector says
take from policy, which doesn't require an individual SA for every host
sending to corporate network 2.  The other selectors are all wildcard and
take from policy.  So, two SAs are required for this policy.  SA "9" is for
inbound traffic and SA "8" for outbound.  You'll note the "SADestAddr" is
the one used for the triple lookup.  I don't include the SPI or IPSec
protocol.

This example handles many machines from one network to the other without an
SA for each machine.

Aaron

References:

SA selectors

From: Michael Boehmer <mboehmer@bintec.de>

Prev by Date: SA selectors
Next by Date: Re: SA selectors
Prev by thread: SA selectors
Next by thread: Re: SA selectors
Index(es):
- Main
- Thread