[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Réf. : SA look up

To: "'IPsec WG'" <ipsec@lists.tislabs.com>
Subject: Re: Réf. : SA look up
From: "Jin Zhang" <jzhang@elmic.com>
Date: Wed, 5 Dec 2001 09:35:41 -0800
References: <OF565FE0BF.54E5A683-ON85256B19.005CA6EB@motus.qc.ca>
Sender: owner-ipsec@lists.tislabs.com

Dear Francis,

Thanks for your answer. And I understand the SA should be generated as in
your description if the SP says using the PACKET value. But my problem is
using the POLICY value.

The RFC 2401 section 4.4.1 has an example, if SP says using the value
associated with the POLICY entry, the SA selector will be RANGE OF HOSTS,
NOT SINGLE ADDRESS.

My understanding is that, besides the selector (in which the destination
address could be a range ), we should have another destination address which
must be a single address(the peer IP). And when we look up the SA, as RFC
2401 section 5.1.1 step 2, we should not only match the selector
destination(could be a RANGE), but also match this single destination
address. Then what is  the use to use RANGE OF HOSTS in SAD selector, as
descriped in RFC 2401 ?

still puzzled,

Jin

----- Original Message -----
From: "Francis Montreuil" <fmontreuil@motus.com>
To: "Jin Zhang" <jzhang@elmic.com>
Cc: "'IPsec WG'" <ipsec@lists.tislabs.com>; <owner-ipsec@lists.tislabs.com>
Sent: Wednesday, December 05, 2001 9:09 AM
Subject: Réf. : SA look up



Your SP (Security Policy) has address selectors of a range from 192.168.1.2
to 192.168.1.10.

When you first communicate with B (192.168.1.3) you "hit" your SP and you
negotiate a SA for an address selector of 192.168.1.3. This is, your SAs
with B will have an address selector fo a single address. This SA pair
cannot be used to communicate with C. Sending more messages to B will hit
the SP and use the avalaible SAs to protect the packets.

Sending a message to C will hit also hit the SP, but no SA is available
(remember that the SA which is there has an address selector to B only),
you then have to negotiate it with C for an address selector of
192.168.1.2.

You then have 2 SA pairs (Inbound+Outboud) for your single SP. Your SP can
have up to 9 SA pairs because of its address selectors.

Francis Montreuil
Motus Technologies inc.




                    "Jin Zhang"
                    <jzhang@elmic.com>         Pour :  "'IPsec WG'"
<ipsec@lists.tislabs.com>
                    Envoyé par :               cc :
                    owner-ipsec@lists.t        Objet :      SA look up
                    islabs.com


                    04/12/2001 19:04






Hi, there,

I know I must be wrong somewhere, please kindly correct me:

       C 192.168.1.2
       /
      /
     /
    /
   A -----------B  192.168.1.3
192.168.1.1

At site A, there exists policy:
>From source (192.168.1.1) to destination (ip minmum 192.168.1.2 to - ip
maximum 192.168.1.10), any src port, any dst port, any prorocol, use
AH-transport mode, and md5-hmac to protect traffic. All the SA selector
uses the value associated with the policy entry.

Now if A wants to send message to B, SAs will be negotiated between A and
B, so there will be an outbound SA at site A. Since the selector value will
use the policy entry, the same SA will be used for traffic A -> C.

Now the problem comes, when C receives a packet from A, it looks its own
inbound SA table by looking <dst IP= C, spi, AH-protocol> ), the SA is NOT
there ! The packet will be dropped. And it seems no way to overcome this,
because whenever A wants to send message to C, it will locate a SA, which
is actually negotiated between A and B.

Thanks for your help,

Jin Zhang
Elmic Systems USA

References:

Réf. : SA look up

From: "Francis Montreuil" <fmontreuil@motus.com>

Prev by Date: Réf. : SA look up
Next by Date: Comments on IKEv2
Prev by thread: Réf. : SA look up
Next by thread: Please save the pre-shared key mode
Index(es):
- Main
- Thread