[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA granularity

To: pierluigimarra@blu.it, ipsec@lists.tislabs.com
Subject: Re: SA granularity
From: SatishK Amara <kumar_amara@yahoo.com>
Date: Thu, 3 Oct 2002 09:47:10 -0700 (PDT)
In-Reply-To: <9175382.1033640116217.JavaMail.dynamo@dyn2>
Sender: owner-ipsec@lists.tislabs.com


--- pierluigimarra@blu.it wrote:
> I'm wondering about SA granularity,
> Could someone help me, please?
> 
> in rfc 2401 pag. 14 I read :
> 
> "..For every IPsec implementation, there MUST be an
> administrative interface that allows a user or
> system administrator to manage the SPD.
> Specifically, every inbound or outbound packet is
> subject to processing by IPsec and the SPD must
> specify what action will be taken in each case. Thus
> the administrative interface must allow the user (or
> system administrator) to specify the security
> processing to be applied to any packet entering or
> exiting the system, on a packet by packet basis. (In
> a host IPsec implementation making use of a socket
> interface, the SPD may not need to be consulted on a
> per packet basis, but the effect is still the same.)
> The management interface for the SPD MUST allow
> creation of entries consistent with the selectors
> defined in Section 4.4.2, and MUST support (total)
> ordering of these entries. It is expected that
> through the use of wildcards in various selector
> fields, and because all packets on a single UDP or
> TCP connection will tend to match a single SPD
> entry, this requirement will not impose an
> unreasonably detailed level of SPD specification.
> The selectors are analogous to what are found in a
> stateless firewall or filtering router and which are
> currently manageable this way..."
> 
> My questions are:
> 1) Could be granularity so fine to associate  TCP
> connections to SAs ? (1:1)
 Yes
> 2) Could receiver, dynamically, forces (or almost
> indicate) to the sender about the policy of mapping
> (e.g. force sender to use different SAs for
> different TCP connections)?
  No, may be in IKEv2
> 
> Thanks in advance,
> Pierluigi


=====
In natural science, Nature has given us a world and we're just to discover its laws. In computers, we can stuff laws into it and create a world            -- Alan Kay

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com

Follow-Ups:
- Re: SA granularity
  - From: Wes Hardaker <hardaker@tislabs.com>

References:
- SA granularity
  - From: pierluigimarra@blu.it

Prev by Date: Re: Potential bakeoff in France in 2003
Next by Date: RE: Potential bakeoff in France in 2003
Prev by thread: SA granularity
Next by thread: Re: SA granularity
Index(es):
- Date
- Thread