[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA identification




In message <p0501040fb6e13ad23d2a@[128.33.4.39]>, Stephen Kent writes:
 >
 >Hmmm. Had't considered that issue. In the first case, this is a 
 >problem if one has a single IPsec "device" serving all of the hosts 
 >and yet not acting as a security gateway, right? Doesn't the IP 
 >implementation have to be "funny" here too?

Only in that IPsec packets have to be passed to the IPsec stack, regardless
of whether the packet is destined for the local host or not -- the code for
that is really minimal, especially if the OS in question has bridging support.
But, I don't see where the destination address comes into it, *unless* the
"device" does not also run the key management (e.g., IKE), but is somehow
told what the SA parameters are.

Which reminds me -- isn't 3GPP proposing to do exactly that ? Perhaps removing
the destination address as an SAD selector would make this impossible (in which
case, I'm in favor -- that scheme sounds hare-brained).

However, it occurs to me that Bill might have meant that a single box is
pretending to be multiple virtual hosts in all manners (all the way up to
application land), which would imply the need for a complete separation between
the different virtual hosts' SADs. Two ways to implement this is either through
a two-stage lookup (find the SAD that corresponds to a particular address, then
do the SA lookup in that --- or, use one SAD with (address,spi,protocol) as the
key, exactly as we do now, and trust the SAD to do the separation).
-Angelos





References: