Réf. : SA look up

["Francis Montreuil" <fmontreuil@motus.com>]

Your SP (Security Policy) has address selectors of a range from 192.168.1.2
to 192.168.1.10.

When you first communicate with B (192.168.1.3) you "hit" your SP and you
negotiate a SA for an address selector of 192.168.1.3. This is, your SAs
with B will have an address selector fo a single address. This SA pair
cannot be used to communicate with C. Sending more messages to B will hit
the SP and use the avalaible SAs to protect the packets.

Sending a message to C will hit also hit the SP, but no SA is available
(remember that the SA which is there has an address selector to B only),
you then have to negotiate it with C for an address selector of
192.168.1.2.

You then have 2 SA pairs (Inbound+Outboud) for your single SP. Your SP can
have up to 9 SA pairs because of its address selectors.

Francis Montreuil
Motus Technologies inc.



                                                                                                                                                    
                    "Jin Zhang"                                                                                                                     
                    <jzhang@elmic.com>         Pour :  "'IPsec WG'" <ipsec@lists.tislabs.com>                                                       
                    Envoyé par :               cc :                                                                                                 
                    owner-ipsec@lists.t        Objet :      SA look up                                                                              
                    islabs.com                                                                                                                      
                                                                                                                                                    
                                                                                                                                                    
                    04/12/2001 19:04                                                                                                                
                                                                                                                                                    
                                                                                                                                                    




Hi, there,

I know I must be wrong somewhere, please kindly correct me:

       C 192.168.1.2
       /
      /
     /
    /
   A -----------B  192.168.1.3
192.168.1.1

At site A, there exists policy:
>From source (192.168.1.1) to destination (ip minmum 192.168.1.2 to - ip
maximum 192.168.1.10), any src port, any dst port, any prorocol, use
AH-transport mode, and md5-hmac to protect traffic. All the SA selector
uses the value associated with the policy entry.

Now if A wants to send message to B, SAs will be negotiated between A and
B, so there will be an outbound SA at site A. Since the selector value will
use the policy entry, the same SA will be used for traffic A -> C.

Now the problem comes, when C receives a packet from A, it looks its own
inbound SA table by looking <dst IP= C, spi, AH-protocol> ), the SA is NOT
there ! The packet will be dropped. And it seems no way to overcome this,
because whenever A wants to send message to C, it will locate a SA, which
is actually negotiated between A and B.

Thanks for your help,

Jin Zhang
Elmic Systems USA

---

Follow-Ups:

• Re: Réf. : SA look up
• From: "Jin Zhang" <jzhang@elmic.com>

---

• Prev by Date: Re: Stephane's Comments on IKEv2
• Next by Date: Re: Réf. : SA look up
• Prev by thread: IPSec/IKE/x.509
• Next by thread: Re: Réf. : SA look up
• Index(es):
  • Main
  • Thread