[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SA look up

To: "'IPsec WG'" <ipsec@lists.tislabs.com>
Subject: SA look up
From: "Jin Zhang" <jzhang@elmic.com>
Date: Tue, 4 Dec 2001 16:04:59 -0800
References: <4652644B98DFF34696801F8F3070D3FE01188488@D2CSPEXM001.smartpipes.com> <OE53lX4u2i50ddbahBy0000bac0@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

Title: Message

Hi, there,

I know I must be wrong somewhere, please kindly correct me:

       C 192.168.1.2
       /
      /
     /
    /
   A -----------B 192.168.1.3
192.168.1.1

At site A, there exists policy:
From source (192.168.1.1) to destination (ip minmum 192.168.1.2 to - ip maximum 192.168.1.10), any src port, any dst port, any prorocol, use AH-transport mode, and md5-hmac to protect traffic. All the SA selector uses the value associated with the policy entry.

Now if A wants to send message to B, SAs will be negotiated between A and B, so there will be an outbound SA at site A. Since the selector value will use the policy entry, the same SA will be used for traffic A -> C.

Now the problem comes, when C receives a packet from A, it looks its own inbound SA table by looking <dst IP= C, spi, AH-protocol> ), the SA is NOT there ! The packet will be dropped. And it seems no way to overcome this, because whenever A wants to send message to C, it will locate a SA, which is actually negotiated between A and B.

Thanks for your help,

Jin Zhang

Elmic Systems USA

References:

RE: On shared keys (was RE: SOI: identity protection and DOS)

From: "Wang, Cliff" <CWang@smartpipes.com>

Re: On shared keys (was RE: SOI: identity protection and DOS)

From: "david chen" <ietf_davidchen@hotmail.com>

Prev by Date: Re: compare-jfk-sigma.txt
Next by Date: Re: compare-jfk-sigma.txt
Prev by thread: Re: On shared keys (was RE: SOI: identity protection and DOS)
Next by thread: RE: SA look up
Index(es):
- Main
- Thread