[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Protocol specific and port specific SAs
But what if I only want my IPSEC to be applied to TCP & ICMP (only 2
selectors defined)?
Then shouldn't IKE also fill the Protocol ID field with a 0?
In this way the when Pfkey is updated no protocol is specified and
any packet matching the selectors would use this negotiated SA, that is TCP
and ICMP as I intended.
As my SA spec has defined a shared SA when a new packet matches the
selector it won't compare the protocol field with the SA and so only TCP and
ICMP would be protected by this SA because theses 2 are the only one to
match the selector.
Toni
-----Original Message-----
From: EXT Alain Jourez [mailto:Alain.Jourez@helios.iihe.ac.be]
Sent: 04. September 2000 19:02
To: antonio.barrera@nokia.com; ipsec@lists.tislabs.com
Subject: Re: Protocol specific and port specific SAs
Well, someone corrects me If I'm wrong (there are may be some new exchanges
defined in a draft of which I'm unaware) but you cannot have a shared SA
that
is based only on two protocols. From RFC 2407 (IPsec DOI) § 4.6.2 :
RFC2407>> Protocol ID (1 octet) Value specifying an associated IP protocol
ID
(e.g. UDP/TCP).
RFC2407>> A value of zero means that the protocol ID field should be
ignored.
I interpret that this way : If I want to specify that all protocols should
be
protected by this SA I put a zero into this field. A value here should mean
that only the protocol specified will be protected by this SA.
As a side effect I don't see a way to specify that an SA should protect two
or
more specific protocols (except for the case of protecting all protocols or
maybe manual keying). It could be possible to specify something like that
using
numerous ID payloads but as far as I know, there may only be one such pair
by
Quick Mode negotiation.
I hope this helps.
Regards,
Alain.
antonio.barrera@nokia.com wrote:
> How does exacly this IPSEC features work?
> I've been testing some IPSEC/IKE software and I'm not sure if the results
> are correct.
> For example if I have this environment:
> ------
> How do I specifiy a SHARED SA for protocols TCP & ICMP only for
> example?
> (I'm not sure if I'm doing it the wrong way or it's just a small bug in
the
> other code.)
> The configuration I use is this:
>
> My end host (E), Gateway (GW), Host behind GW (H)
>
> H ------ GW ======= E SA (shared for tcp & icmp)
>
>
> 2 policies specifying:
>
> Selector 1: H <-> E icmp
> Selector 2: H <-> E tcp
>
> (through the tunnel GW)
> (Both using same IPSEC and IKE SAs!)
>
> If GW acts as a INITIATOR, it sends the protocol number (i.e
tcp(6))
> with the Phase II IDs when it shouldn't (Or yes?). That makes E think it's
> trying to negotiate a TCP specific SA and updates the SA database as so.
> After that the packets are discarded because they don't match the SA spec
> configured in E that says that the SA is shared (not protocol-specific as
I
> use it).
> If GW acts as a RESPONDER, E sends phase II IDs WITHOUT setting
the
> protocol ID, but then GW complains that this doesn't match the
> policy where tcp is set.
> -----
> So the thing here is: Should IKE send the protocol number
specified
> in the selector when the SA is shared? I thing no because then the othar
> side doesn't know if we want to negotiate a protocol-specific SA (1 new SA
> for each new protocol) or a shared SA (1 SA for all the protocols, TCP and
> ICMP here)
> If the protocol is always sent how do we know if we are
negotiating
> an SA that will be shared among different protocols.
>
> Thanks a lot.
>
> Toni
--
Alain Jourez
Service Télématique et Communication
Université Libre de Bruxelles Tél. +32 (0) 2 650 57 04
Boulevard du Triomphe, CP 230 Fax +32 (0) 2 629 38 16
B-1050 Bruxelles - Belgium mailto:alain.jourez@helios.iihe.ac.be
Follow-Ups: