[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is TS agreement necessary?

To: dharkins@tibernian.com
Subject: Re: Is TS agreement necessary?
From: Mike Ditto <ford@incog.com>
Date: Wed, 3 Apr 2002 15:00:29 -0800 (PST)
CC: skelly@SonicWALL.com, ipsec@lists.tislabs.com
In-reply-to: <200204032234.g33MYAW01612@fatty.lounge.org> (message from DanHarkins on Wed, 03 Apr 2002 14:34:10 -0800)
Sender: owner-ipsec@lists.tislabs.com

Dan Harkins <dharkins@tibernian.com> wrote:
 > > When I initiate SA negotiation, I get to decide what goes in the
 > > selectors on my end, just like current IKE implementations.  What's
 > > different is how the selectors are set up for SAs that were requested by
 > > my peer.  When my peer asks me to add an SA pair to my SAD, I mark the
 > > SAs as "completely shared", "address unique" or "session unique" as my
 > > peer requests.  
 > 
 > The peer requests some "shared" or "unique" -ness to be assigned to
 > the SA during SA establishment time? How is that to be done exactly and
 > why is that any better than a TS payload?

You mean how does the initiator know which style to request?  It could
be explicit in the policy (the "shared" or "unique" attribute of the SPD
entry) or implicit in the application (maybe a VPN gateway would always
request shared SAs).  I think I'd prefer something explicit.

Or do you mean how does this go in the SA establishment protocol?  It
would go in a place similar to where the TS payloads would have been,
except that there would be one segregation parameter specified for each
matched pair of SAs, since the responder will have to learn and keep
track of traffic selectors for the SAs as a pair.

 > You're proposing to replace a specific indication with an abstract hint.
 > It looks like there's lots of room for interpretation and disinteroperability
 > in this. That sounds worse than what we have today with IKEv1 and much,
 > much worse than what is proposed with the TS payload.

Some email may have passed in transit, but I've explained that there is
no risk of disinteroperability.  If the responder ignores or
misinterprets the hint, things still work, because the sender of any
packet is free to use whatever method is convenient or appropriate in
its implementation for traffic segregation, taking the hint into account
or not.  The receiver will check that the SA was an appropriate one as
far as its own policy.

The worst case result of mis-interpretation of the segregation hint is
different segregation policy in the two directions, and that difference
would be documentable characteristics of the two implementations.

					-=] Mike [=-

References:
- Re: Is TS agreement necessary?
  - From: Dan Harkins <dharkins@tibernian.com>

Prev by Date: RE: Is TS agreement necessary?
Next by Date: Re: questions on draft-touch-ipsec-vpn
Prev by thread: Re: Is TS agreement necessary?
Next by thread: Re: Is TS agreement necessary?
Index(es):
- Date
- Thread