[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ID payloads semantics for phase 2 SAs



I'm wondering what are the semantics of the ID payloads
in phase 2. Look at this example:

[Host1 (206.1.1.1)] ====== [Host2 (206.1.1.2)]

Suppose that Host1 has SPD (in priority order):
send-clear udp any
send-crypt ip-dst 206.1.1.2

;; Host1 will send all UDP in the clear, and 
;; any non-UDP traffic to 206.1.1.2 will get
;; encrypted

Suppose that Host2 has SPD (in priority order):
send-clear udp 500
send-crypt ip-dst 206.1.1.1

;; Host2 will send all UDP port 500 traffic in
;; the clear and all non-UDP/500 traffic will to
;; 206.1.1.1 will get encrypted

The ID payloads are sent on the wire, and the 
IPSec SAs get setup. These ID payloads don't
(cannot) express the actual set of traffic that
will be protected. 

Traffic starts, Host2 initiates a top-secret
transaction using UDP port 2000, and Host1 sends
the top-secret response in the clear! 

Is this expected behavior? Shouldn't the ID
payloads give you some expectation of protection?
With this behavior, all the ID payload really
says is that some classes of traffic won't make it
into the tunnel, but there is no guarentee that
*any* class of traffic will!

Should IKE at some point be enhanced so that
ID payloads can be chained to express more complex
classes of traffic?

Sorry if this has been mulled over before,

Jeff