[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Questions about RFC2401 and SPDs
I'm trying to understand the IPsec RFCs (especially RFC 2401) in detail.
I'd like to ask specific questions about the following scenario. Suppose
I have two hosts, A and B. Each host has exactly one network interface.
Suppose I have the following two outbound SPD entries on host A, in this
order of precedence:
1. TCP traffic from any port on A to the telnet port 23 on B is to
be protected by ESP confidentiality using triple-DES and AH using
HMAC-SHA1, both applied in transport mode.
2. TCP traffic from any port on A to any port on B is to be protected
by AH using HMAC-SHA1 in transport mode.
=> Question 1: Suppose the first TCP traffic from A to B is not telnet.
Then, SPD rule 2 will apply to this traffic. Let's suppose that the
result is that A negotiates an outbound SA (call it SA #1) with B.
Now, suppose a user on host A tries to open a telnet session to
host B, matching SPD rule 1. Is it permissible for A to negotiate
just an SA to carry ESP-protected traffic, and then to form an SA
bundle comprising this SA and SA #1 to apply to the telnet traffic?
=> Question 2: Assume as above that host A first negotiates outbound
SA #1 with host B to carry AH-protected traffic. Suppose now that
when the telnet connection from host A to host B is made, host A
negotiates two SAs (SA #2 to carry ESP-protected traffic, SA #3 to
carry AH-protected traffic). May host A then ignore SA #3 and
instead use an SA bundle comprising SA #1 and SA #2 to carry the
In both cases, what are the applicable RFC citations?
Thanks in advance for any help. I'm afraid right now the score is
IPsec RFCs "N", Ken zero (and N is getting large :-)