[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interpretation of SA bundle.

To: niklas@appli.se
Subject: Re: interpretation of SA bundle.
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Wed, 8 Dec 1999 15:41:37 +0200 (EET)
CC: sakane@ydc.co.jp, tjenkins@TimeStep.com, ipsec@lists.tislabs.com
In-reply-to: <199912080048.BAA07242@waldorf.appli.se> (message from Niklas Hallqvist on Wed, 08 Dec 1999 01:48:52 +0100)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@lists.tislabs.com


> As I think Tim pointed out, the list had a rough consensus that only
> sane (useful) ordering should be applied to the packets, no matter
> what ordering the protocols have in the IKE SA payload.  The reason
> being that limiting flexibility and thus complexity of IKE will
> improve interoperability.

First, IKE should not be making decisions about what is sane and what
is not. If a user wants to use "insane" ordering, systems at *this*
level should allow it. The "sane" vs. "insane" choices should be left
up to the higher level tools, such as policy editors and configuration
tools.

Second, all these ad hoc rules about what is sane or not are not
making implmentations simple, quite contrary.

If we want SIMPLE, IKE should just negotiate single unidirectional SA
on responce to a ACQUIRE message (or equivalent). No bundles, no
worries about ordering or about multiple transport/tunnel modes,
everything goes.

All that is negotiated are the SA parameters: lifetimes, algorithms
and keys to be used.

Of course this is my old fight, which I cannot win: No bundles on IKE
level, bundles are policy concept which IKE really does not need to
know about. However, to be at least minimally compatible with others,
I may thrive for an IKE implementation that negotiates the SA's of the
first offered bundle, for which all algorithm support exists, but
ignoring the ordering. If order on the policy of the other end does
not match the user defined local policy, then packets are dropped even
though negotiation succeeds...

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/


ps. While testing with KAKE, I seemed notice that it is not too picky
about ordering of SA's in bundle (I had some weird combo of few AHs
and ESP's with tunnel thrown in, and my end complained about mismatch
in policy, but KAME was happy with any order as long as SA's were
present, this was with manual keys only and I was applying the same
SA's multiple times on same packet (yes insane, but ... :-)).

References:

Re: interpretation of SA bundle.

From: Niklas Hallqvist <niklas@appli.se>

Prev by Date: Re: cookie verification
Next by Date: Re: Heartbeats (was RE: keepalives)
Prev by thread: Re: interpretation of SA bundle.
Next by thread: RE: interpretation of SA bundle.
Index(es):
- Main
- Thread