[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RFC2401 Questions



Hello,

I've been reviewing the IPsec discussion logs, and there were a couple of
items I saw that I
did not find a definitive resolution to.  They're listed below, along with
what seemed to
me to be the majority (plurality?) opinion:

1. Section 5.2.1, Checking inbound packet against SPD entry

The following note is after step 4:

'NOTE: The correct "matching" policy will not necessarily be the first
inbound policy
found.  If the check in (4) fails, steps (3) and (4) are repeated until all
policy
entries have been checked or until the check succeeds.'

The question is, if the inbound SPD is ordered, how can the first "matching"
policy
not be the correct policy?

My interpretation from the discussion:
This note only applies if backpointers are used to find SPD entries, as each
SAD entry
may point to multiple SPDs.  If the check is performed by doing a search
through the
SPD, the first "matching" policy is the correct one, and can be used to
accept
(kind and order were correct) or reject (kind or order were incorrect) the
packet.
I.e., steps 3 and 4 are not repeated if the packet selectors are used to
find the
first "matching" policy in the SPD.


2. AH as Protocol Selector

Is AH a valid Protocol Selector, or, when AH header is found, use the "Next
Header"
field to find the Protocol?

My interpretation from the discussion:
Could be done either way, should make this configurable on a per-SA basis.
(Same applies to IPComp)


3. Section 5.2.1, ICMP Error Packets

If, after decapsulation, an ICMP Error Packet is generated, how is it sent
back to
the source?

My interpretation from the discussion:
The plurality opinion (and based on the comments in section 5.2.1) is that
the header
of the packet that caused the ICMP Error message is used to select the SA
bundle
(with source/destination addresses swapped, and ports swapped if available).
Since the
port numbers may not be available, the actual SA used may not be the exactly
correct
one.  I.e., it could be mapped to any SA bundle that had the correct
Source/Destination
address.


4. Section 4.4.2, Name As Selector

Are User ID and System Name valid selectors in a Security Gateway?

My interpretation from the discussion:
No, these are only for Host implementations.


5. ICMP 'Type' and 'Code' fields

Can these be used as selectors, similar to the use of 'Port' for TCP/UDP?

My interpretation from the discussion:
Yes.



Many thanks in advance for any feedback.

Best Regards,
Joseph D. Harwood