[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Help - IPSec Newbie

To: "'EXT Arvind Devarajan'" <arvind.sankruthi@oracle.com>, <ipsec@lists.tislabs.com>
Subject: RE: Help - IPSec Newbie
From: "Markku Savela" <Markku.Savela@research.nokia.com>
Date: Thu, 9 Nov 2000 16:02:14 +0200
Importance: Normal
In-Reply-To: <20001109.8240500@INCQ249A.idc.oracle.com>
Sender: owner-ipsec@lists.tislabs.com

> From: EXT Arvind Devarajan

> <Policy 1> Policy, List of SAs
> <Policy 2> Policy, List of SAs

> 1.As I understand, SPD is a static database done initially,
> and all the
> SAs are created dynamically. This being the case, how will
> the "List of
> SAs" or a "Single SA" be specified in the policy entries of the SPD?

It's not list of SA's. It's a list of "SA templates", which specify the
required parameters for the SA's to be used or created.

> 2.Just as the incoming packets help in identifying the SA
> through which
> they should be passed, using the tupple (SPI, Protocol and Dst Addr),
> does the SPD entries too have any such identifier for the SAs?

That is an implementation issue, as an optimization, one could attach the
real SA's to the policy selector once they are created. However, it gets
complex. Consider a selector

  remote port = 8099 -> SA-template

That selector will apply to multiple communications with different hosts,
each needing a similar, but different SA (addresses are different). Thus you
would at least need to implement a list of created SA's, and search this
list for existing SA, whenever the policy matches. [assume port 8099 is used
by some new fancy protocol that always uses IPSEC]

References:

Help - IPSec Newbie

From: Arvind Devarajan <arvind.sankruthi@oracle.com>

Prev by Date: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
Next by Date: RE: Out of Sync Security Policies - Design Flaw
Prev by thread: Help - IPSec Newbie
Next by thread: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
Index(es):
- Main
- Thread