Fw: ISAKMP-SA & Security Policy

["Suresh Singh K." <sureshsingh.keisam@analog.com>]

 

Hi,

    Looks like you are confused.  The ISAKMP-SA is the SA created for PHASE 1 . This SA is used

to protect the PHASE 2 (quick mode) traffic and at the end PHASE 2  IPSEC SAs are created.

Normally PHASE 1 SA  database is maintained in user space( assuming user/kernel space exist).

After PHASE 2 SAs are created, one normally create a PF_KEY socket and use it to write the IPsec

SAs into the  IPsec SAD (SA database). You are right in that PHASE1 SPI is the concatination of

COOKIE  of initiator and responder. Anyhow for PHASE 2 SPI, any unique random number

generator can be used . Each PHASE 2  consists of two IPsec SAs , inbound and outbound SA

with unique SPI.

   The  SPD ( SA  Policy Database) is configured differently. Some use KEYNOTE mechanism. Other

have their own proprietary implementation. For SPD you normally define the policy based on  IPsec

selectors for traffic going out and coming in.

 

Cheers !

     Suresh Singh K.

  

 

----- Original Message -----

From: Suresh Kumar

To: ipsec@lists.tislabs.com

Cc: dharkins@cisco.com ; carrel@ipsec.org

Sent: Monday, October 28, 2002 8:06 PM

Subject: ISAKMP-SA & Security Policy

Hello list,

I am a new bee to IPSec. I have learned from reading of IKE-2409 that, ISAKMP-SA, SPI is an concatination of COOKIE of INitiator and COOKIE of responder. Does this mean PF_KEY interface is not used to create SPI for ISAKMP implementation ? Hence there will not any IPSec Policy Set for this SPI ? and Quick Mode exchange is secured by the Keying Material established during the 1St Phase ?. All these interpretations are correct ?

Please clarify.

thanks

Suresh.

 

---

Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site