[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: interpretation of SA bundle.

To: msa@hemuli.tte.vtt.fi, sakane@ydc.co.jp
Subject: RE: interpretation of SA bundle.
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Tue, 7 Dec 1999 08:44:36 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> -----Original Message-----
> From: Markku Savela [mailto:msa@anise.tte.vtt.fi]
> Sent: December 7, 1999 3:13 AM
> To: sakane@ydc.co.jp
> Cc: ipsec@lists.tislabs.com
> Subject: Re: interpretation of SA bundle.
> 
> 
> My interpretation...
> 
> > Node A sends a proposal including AH tunnel mode followed by ESP
> tunnel
> > mode.  In this case, we should interpreted to be created IP 
> payload by
> > using this SA,
> > 
> > 	1. [outer IP][AH][ESP][inner IP][ULP]
> > 	2. [outer IP][ESP][AH][inner IP][ULP]
> > 	3. [outer IP][AH][inner IP][ESP][inner IP'][ULP]
> > 	4. [outer IP][ESP][inner IP][AH][inner IP'][ULP]
> > 
> > Which is right ?
> 
> Assuming the proposal order as you stated: 4 (e.g. first apply
> tunnel+AH, then tunnel+ESP). Note, in (1) AH and in (2) ESP is
> transport mode, so they don't match your proposal anyway.
> 
> The result should depend on the ordering in the proposal? I don't know
> about IKE, but I can express all of the above combinations in my
> policy file, and the kernel IPSEC machinery can do them.
> 

First, let's be explicit about how this was proposed. If this was
proposed as a single SA payload with multiple proposal payloads
with the same number, then:

We discussed this and tested this at a bake-offs quite some time ago and
the concensus seemed to be that the order of application was not as
proposed, but as to what made sense. That order was (outbound processing)
IPCOMP before ESP before AH, no matter what the order of proposal.

Secondly, the attributes across the proposals are to be consistent,
and that they must apply to the bundle as a whole. [Aside: this is
specifically called an SA suite in the MIBs.] This means that a
bundle (of this type) is all transport mode or all tunnel mode.

This means that the correct answer for the above questions is 1.

> > Another case, Node A sends a proposal including AH transport mode
> followed
> > by ESP tunnel mode.
> > 
> > 	1. [outer IP][AH][ESP][inner IP][ULP]
> > 	2. [outer IP][ESP][inner IP][AH][ULP]
> > 
> > I think there is not these rules of interpretation in any drafts.
> 
> The case 2 (e.g. first apply AH, then tunnel+ESP). I guess the rule
> should just state: apply strictly in proposed order.

Again, with the same assumptions, the second case is inconsistent.
However, our implementation will convert the transport mode to
tunnel, and apply tunnel to the whole thing. Therefore, the answer
is 1.

I third the suggestion that this needs to be clearer. Our implementation
originally did what Markku's did. It no longer does.

Follow-Ups:

RE: interpretation of SA bundle.

From: Shoichi Sakane <sakane@ydc.co.jp>

Prev by Date: RE: Heartbeats (was RE: keepalives)
Next by Date: Re: Heartbeats (was RE: keepalives)
Prev by thread: Re: interpretation of SA bundle.
Next by thread: RE: interpretation of SA bundle.
Index(es):
- Main
- Thread