[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: compare-jfk-sigma.txt
On Wed, 05 Dec 2001 01:06:23 +0200 you wrote
>
> Seeing some selector payloads introduced in IKE2, I think this is
> totally wrong direction. Key negotiation does not need the selectors
> (and old IKE should not have tried to use id payloads to pass
> selector/policy type information).
>
> If Key negotiation protocol is open for new ideas, I would strongly
> prefer a key negotiation that only negotiates one directional SA as
> requested by the kernel side of the IPSEC (in my case, key management
> is provided with the information about the required SA via PFKEYv2
> ACQUIRE message). It does not need to know about selectors, it does
> not need to know even if the SA is for tunnel or transport mode! Also,
> note that key management doesn't need care about bundles either!
Yes, it does need to know. To do as you suggest would result in undetectable
blackholes. In Alice's mind she's going to access 172.21/16 since that's
in her SPD. In Bob's mind Alice is only going to be allowed to send TCP
traffic to 172.21.74.113/28 since that's in his. If SPD information is
not conveyed then Alice's packets that are not TCP to 172.21.74.113/28 will
be dropped by Bob and there is no way for Bob to inform her of the problem
or for her to figure it out for herself.
We've had this discussion before (the last one in person at Nokia Research
Center in Helsinki) and I thought it was resolved. If this is more than a
religious issue can you explain what problem is caused by having SPD
information conveyed during SA establishment?
Dan.
Follow-Ups:
References: