[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Out of Sync Security Policies

To: ipsec@lists.tislabs.com
Subject: RE: Out of Sync Security Policies
From: antonio.barrera@nokia.com
Date: Mon, 6 Nov 2000 16:14:32 +0200
Sender: owner-ipsec@lists.tislabs.com

	I'm not 100% sure because I had problems with this as well, however,
I'd say that the first IKE negotiation I wrong and should fail because
selectors don't match. If the INITIATOR proposes ANY protocol then the
RESPONDER must have ANY in the policy as well. Otherwise you have funny
situations like yours.

Toni
	

-----Original Message-----
From: EXT Kim Edwards [mailto:kimed@nortelnetworks.com]
Sent: 03. November 2000 17:57
To: ipsec
Subject: Out of Sync Security Policies


We are having a problem with out of sync security policies (sp) and we
would like to know what other implementations are doing to address
this problem. It is possible that we are simply missing something from
the RFC.

setup:

Gateway A                                                      Gateway B

Initiator --------------------- Responder

sp/1
sp/1
ip addresses: 10.1.1.0                                     ip addresses:
10.1.1.0
protocol: any                                                  protocol:
tcp


sp/2

ip addresses: 10.1.1.0

protocol: icmp

Assumptions:

1. all data traffic is flowing from Gateway A to Gateway B.

2. The selectors in a negotiated SA use the value from the
corresponding security policy (option b from section 4.4.1, RFC 2401).

3. there are no SAs initially setup.

4. all security policies have the action: protect.

Now, if we generate a tcp packet, an SA will be negotiated between A's
sp/1 and B's sp/1. The selectors in A's SA will contain "any" as a
protocol (assumption 2).

If we then send an ICMP packet, the ICMP packet will see that an SA
exists according to the sp and SA selectors and a protected packet
will be sent to B. B will verify/remove the protection and then verify
that the selectors match. Since B's SA selectors contain the protocol
"tcp" (assumption 2), the packet will be discarded as the protocol is
"icmp".
Therefore, it is impossible to send ICMP traffic without clearing the
previous
SA or having matching sp on both sides.

How do we get ICMP traffic through in such a setup?

We must be missing the obvious.

I must apologize if this has been discussed in past threads, but I
could not find any references to this problem.

Kim Edwards

Follow-Ups:

Re: Out of Sync Security Policies - Design Flaw

From: "Kim Edwards" <kimed@nortelnetworks.com>

Prev by Date: Out of Sync Security Policies
Next by Date: Reminder - Connectathon
Prev by thread: Out of Sync Security Policies
Next by thread: Re: Out of Sync Security Policies - Design Flaw
Index(es):
- Main
- Thread