[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RFC2401 question about mismatched SPDs

To: ipsec@lists.tislabs.com
Subject: RFC2401 question about mismatched SPDs
From: kballou@quarrytech.com
Date: Mon, 19 Feb 2001 20:18:11 -0500
Sender: owner-ipsec@lists.tislabs.com
I have a question about RFC2401.  I'm trying to understand
the processing required in section 5 when one system's SPD
contains a more specific rule than the peer's SPD.

Allow me to offer a specific scenario for my question.  I
hope the detail will make my question clearer.  Thanks in
advance to anyone who slogs through this.

Scenario:

1.  A is a two-port security gateway device.  The LAN port
     on A is assigned IP address 1.1.1.100 and is connected
     to the 1.1.1/24 subnet.  The WAN port connects to A's
     ISP.

2.  B is a two-port security gateway device.  The LAN port
     on B is assigned IP address 2.2.2.200 and is connected
     to the 2.2.2/24 subnet.  The WAN port connects to B's
     ISP.

3.  X (IP address 1.1.1.1) is a PC on the 1.1.1/24 subnet.

4.  Y (IP address 2.2.2.2) is a PC on the 2.2.2/24 subnet.

           WAN             |             WAN
            |              |              |
          +-+-+            |            +-+-+
          | A |            |            | B |
          +-+-+            |            +-+-+
1.1.1/24   | (1.1.1.100)  |  (2.2.2.200) |    2.2.2/24
---+-------+------------  |  ------------+-+----------
    |                      |                |
    X (1.1.1.1)            |                Y (2.2.2.2)



The SPD associated with A's WAN port is configured as follows.


Pri. Inbound Rule                  Outbound Rule


1    Selectors:                    Selectors:
        Src Addr 2.2.2/24            Src Addr 1.1.1/24
        Dst Addr 1.1.1/24            Dst Addr 2.2.2/24
      Action: require ESP-DES       Action: apply ESP-DES
                                                  (tunnel mode)
      IPsec peer: B's WAN IP addr   IPsec peer: B's WAN IP addr


2    Selectors:                    Selectors:
        any traffic                   any traffic
      Action: expect cleartext      Action: pass cleartext



The SPD associated with B's WAN port is configured as follows.


Pri. Inbound Rule                  Outbound Rule


1    Selectors:                    Selectors:
        Src Addr 1.1.1.1/32           Src Addr 2.2.2.2/32
        Dst Addr 2.2.2.2/32           Dst Addr 1.1.1.1/32
      Action: require ESP-DES-MD5   Action: apply ESP-DES-MD5
                                                  (tunnel mode)
      IPsec peer: A's WAN IP addr   IPsec peer: A's WAN IP addr


2    Selectors:                    Selectors:
        Src Addr 1.1.1/24             Src Addr 2.2.2/24
        Dst Addr 2.2.2/24             Dst Addr 1.1.1/24
      Action: require ESP-DES       Action: apply ESP-DES
                                                  (tunnel mode)
      IPsec peer: A's WAN IP addr   IPsec peer: A's WAN IP addr


3    Selectors:                     Selectors:
        any traffic                   any traffic
      Action: expect cleartext      Action: pass cleartext


------------------------------------------------------------

Question 1:

Suppose X pings Y, and this is the first traffic between
subnets 1.1.1/24 and 2.2.2/24.  Presumably, when A forwards
the ICMP echo request, it will apply its WAN port SPD and
will trigger an IKE negotiation with B to create a pair of
IPsec SAs with the selectors (IDci = 1.1.1/24, IDcr =
2.2.2/24) (using A's rule #1 and B's rule #2).

Now, according to RFC2401, section 5.1.1, when B forward's
Y's ICMP echo reply, it consults the WAN port's SPD to find
the first (highest priority) matching SPD rule for the
packet selectors (src addr = 2.2.2.2, dst addr = 1.1.1.1,
protocol = ICMP).  The applicable rule is #1.  B must
therefore negotiate with A to create an IPsec SA bundle with
the selectors (IDci = 2.2.2.2/32, IDcr = 1.1.1.1/32).

Is this correct, even though A has already negotiated a pair
of IPsec SAs for this traffic flow?  (It seems necessary,
since the SPD on B's WAN port requires additional protection.)

------------------------------------------------------------

Question 2:

Assume now the first rule in B's WAN port SPD has been
modified to require/apply ESP-DES only (no MD5).  (Now, this
rule is redundant, since it is a special case of rule 2.
However, rule 1 does restrict the selectors for the IPsec
SAs for which it causes a negotiation.)

A strict reading of RFC2401 section 5.1.1 seems to require B
to negotiate an IPsec SA pair when forwarding Y's ICMP
response.  Specifically, using the packet selectors (src
addr = 2.2.2.2, dst addr = 1.1.1.1, protocol = ICMP) to
search the outbound SPD, the applicable rule with the
highest priority is #1.  According to step 1 of section
5.1.1, we then note that no SAs are associated with this SPD
rule.  Therefore, we trigger an IKE negotiation with A to
create an IPsec SA bundle with the selectors
(IDci = 2.2.2.2/32, IDcr = 1.1.1.1/32).

Is this correct, even though in this case we could have used
the IPsec SA bundle already negotiated to provide the
protection required by B's WAN port outbound SPD?

Again, thanks.  Any and all help is appreciated!

					- Ken
Prev by Date: Re: IKE entropy issues with long keys
Next by Date: I-D ACTION:draft-ietf-ipsec-sctp-00.txt
Prev by thread: Re: can't ping
Next by thread: I-D ACTION:draft-ietf-ipsec-sctp-00.txt
Index(es):
- Main
- Thread