[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IKEv2 traffic selector subsetting.
To add to this conversation, I would like to debunk this myth that the IPsec
SADB selectors need to match the IPsec policy.
The SPD, not the SADB, is supposed to enforce IPsec policy. As someone
noted, it does no good to repeat the information in the SPD in the SA
selectors, since that traffic will be filtered out by the SPD anyway. If you
wish to avoid sending traffic that will be filtered out by the peer then
that would be best accomplished by an IPSP protocol.
The point of the phase 2 selectors is to enforce that (often ignored) 3rd
aspect of network security: authorization. We want to bind the phase 2
selectors to the phase 1 identity so that authenticated peers cannot
impersonate each other. The use of the phase 2 selectors allows the
per-packet SPD check to proceed without consulting the SADB (because the
initial SADB check is sufficient for verifying that the phase 1 id is
appropriate).
This is an *OPTIMIZATION*. It is feasible to negotiate wildcard SAs (or
transport mode SAs for an IP-in-IP tunnel) *iff* you do a phase 1 identity
check on every packet (i.e. pass the SA context information up the stack).
Port-constrained SAs make sense in the case of a multi-user UNIX machine
where the phase 1 id associated with port FOO is not necessarily the same as
the id on port BAR. Port-constrained selectors are NOT the best mechanism
for implementing packet filtering. In the vast majority of VPN scenarios, a
list of subnets would be appropriate for expressing phase 2 selectors.
Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.
Follow-Ups:
References: