[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions about RFC2401 and SPDs

I'm trying to understand the IPsec RFCs (especially RFC 2401) in detail.
I'd like to ask specific questions about the following scenario.  Suppose
I have two hosts, A and B.  Each host has exactly one network interface.

Suppose I have the following two outbound SPD entries on host A, in this
order of precedence:

1.  TCP traffic from any port on A to the telnet port 23 on B is to
     be protected by ESP confidentiality using triple-DES and AH using
     HMAC-SHA1, both applied in transport mode.

2.  TCP traffic from any port on A to any port on B is to be protected
     by AH using HMAC-SHA1 in transport mode.

=> Question 1:  Suppose the first TCP traffic from A to B is not telnet.
    Then, SPD rule 2 will apply to this traffic.  Let's suppose that the
    result is that A negotiates an outbound SA (call it SA #1) with B.
    Now, suppose a user on host A tries to open a telnet session to
    host B, matching SPD rule 1.  Is it permissible for A to negotiate
    just an SA to carry ESP-protected traffic, and then to form an SA
    bundle comprising this SA and SA #1 to apply to the telnet traffic?

=> Question 2:  Assume as above that host A first negotiates outbound
    SA #1 with host B to carry AH-protected traffic.  Suppose now that
    when the telnet connection from host A to host B is made, host A
    negotiates two SAs (SA #2 to carry ESP-protected traffic, SA #3 to
    carry AH-protected traffic).  May host A then ignore SA #3 and
    instead use an SA bundle comprising SA #1 and SA #2 to carry the
    telnet traffic?

In both cases, what are the applicable RFC citations?

Thanks in advance for any help.  I'm afraid right now the score is
IPsec RFCs "N", Ken zero (and N is getting large :-)

					- Ken