[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Misc. issues: Inbound SA triple identification /Inbound&Outbound SA, selectors exchange
At 12:19 PM -0700 4/23/01, Emmanuel Hislen wrote:
>Hi,
>
>After reading most IPSEC related RFCs and various books, and discussing
>with many people, I am still bumping on the following issues. Hopefully
>some of you have already been though these questions and can give me
>some hints or a different point of view.
>
>1.
>SA definition (RFC 2401, section 4.1, p. 8).
>In most places it is said that one of the three keys to identify an SA
>is the IP destination address: but he meaning of "destination" is
>different depending on wether we deal with an inbound or outbound SA.
The discussion in 4.1 refers only to inbound traffic that has been
IPsec protected, and thus carries an SPI. Outbound traffic (not yet
IPsec processed by the device in question) has no SPI (applied by
this IPsec device).
>
>For an outbound SA, the destination address is actually the right key.
For outbound traffic, SPD entries specify the "keys" used to map
traffic to SAs and there are 5 different types of packet selectors,
as described in 4.4.2.
>For an inbound SA, the IP address wich allows us to uniquely identify an
>SA, along with the SPI and the protocol, is the SOURCE IP address. There
>is no reason why two remote peers would not allocate the same SPI. I'd
>say we even need to consider the source IP address of the cryptographic
>endpoint: in tunnel mode we need to know the IP address of the IPSEC
>tunnel endpoint in order to uniquely identify the SA for an incoming
>packet.
>
>Is this correct?
No. For unicast SAs, the SPI is allocated by the target of the SA and
thus need be only locally unique. The dest Ip address is needed to
differentiate among SAs only to accommodate multicast, where the SPI
is assigned by the multicast controller.
Steve
References: