[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Move TS to optional (RE: Don't remove TS from IKEv2)

To: <andrew.krywaniuk@alcatel.com>, "Jan Vilhuber" <vilhuber@cisco.com>
Subject: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
From: "Sankar Ramamoorthi" <Sankar.Ramamoorthi@nexsi.com>
Date: Tue, 26 Mar 2002 18:09:24 -0800
Cc: "Andrew Krywaniuk" </o=TimeStep.Corporation/ou=TIMESTEP/cn=Recipients/cn=akrywaniuk@nexsi.com>, "Dan Harkins" <dharkins@tibernian.com>, "IP Security List" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcHVGsieF9Uro1TFTcqEYWucnOOlWQAFIUVw
Thread-Topic: Move TS to optional (RE: Don't remove TS from IKEv2)



> -----Original Message-----
> From: andrew.krywaniuk@alcatel.com 
> [mailto:andrew.krywaniuk@alcatel.com]
> Sent: Tuesday, March 26, 2002 3:01 PM
> To: 'Jan Vilhuber'; Sankar Ramamoorthi
> Cc: Andrew Krywaniuk; 'Dan Harkins'; 'IP Security List'
> Subject: RE: Move TS to optional (RE: Don't remove TS from IKEv2) 
> 
> 
> I don't necessarily have any objections to doing this through an IPsec
> tunnel, but it should at least be a specialized control channel tunnel
> rather than having it mixed in with IPsec-tunneled data.

As you point out having a specialized ipsec control channel is
equivalent to another isakmp message or some other protocol.


The advantages of sending control messages in-band to an ipsec SA are
 
1) Control messages are authenticated and replay protected in the
   same manner as data packet - hence have the security property.

2) If necessary, control messages can piggyack data, thereby avoiding
   latency issues.

   For example if the ipsec selector needs to be broadend,
   the sender encapsulates the esp data packet in a control packet indicating 
   the required selector change. The peer on receiving it will acknowledge
   the selector-change using another control packet(may or may not piggyback
   data along with it). The sender continues to send the data in encapsulated 
   form till it receives the acknowledgement from the peer.

3) Control messages are inband and specific to the SA of interest.
   Since the control message follows the same path as data path,
   it could serve as a better way to check the health of the ipsec SA.

-- sankar --



> I would suggest
> that the transport mode connection between two gateways be 
> considered a
> control channel, but it seems that the L2TP people have 
> already subsumed
> this SA for their purposes. So it should probably be a 
> port-specific SA on
> which the IPSP protocol would run. This solution, in turn, 
> necessitates a
> 2-phase approach in order to negotiate the IPsec control channel. An
> alternative is to create an ISAKMP message for this, which is 
> what most
> people would have done before the great complexity crisis of '99.
> 
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
> 
>

Prev by Date: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by Date: Re: Do we actually need dynamic ports?
Prev by thread: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by thread: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Index(es):
- Date
- Thread