[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP-SA & Security Policy
Hi,
>>What I understood is, For ISAKMP-SA, SPD will not be created. I mean to
say, we will not run 'ipsecconf ' to let the IP stack know about
>>ISAKMP-SPI details
Yes, for ISAKMP-SA SPD is not required. Phase I just negotiates
the ISAKMP-SA parameters and maintains a Phase I sa list.
>>The Phase-I exachanges will be protected based on the session key created
after the key exchange. This is unlike in IPSec SPI, where an SPD >>will be
created after Phase-II exchange with 2 SPIs ?. Am I right ?.
The SPD is not created after Phase-II. It's created initially . In fact
the SPD, based on it's selectors indicates to IKE to start negotiating a New
PHASE 1 with the designated peer , if the PHASE 1 for the peer is not yet
established.
The SPD consists of policies based on selectors like Source IP address,
Destination IP address, Source port, Dest. port, IP address Range, Transport
Protocols etc. In the user/kernel OS , the SPD is in the kernel.
Cheers !
----- Original Message -----
From: Suresh Kumar
To: Suresh Singh K.
Cc: ipsec@lists.tislabs.com
Sent: Wednesday, October 30, 2002 4:26 AM
Subject: Re: ISAKMP-SA & Security Policy
Hello Suresh Singh,
thank you very much for your reply. I am clear about the Phase-II, but not
clear about Phase-I. What I understood is, For ISAKMP-SA, SPD will not be
created. I mean to say, we will not run 'ipsecconf ' to let the IP stack
know about ISAKMP-SPI details. The Phase-I exachanges will be protected
based on the session key created after the key exchange. This is unlike in
IPSec SPI, where an SPD will be created after Phase-II exchange with 2 SPIs
?. Am I right ?. Please answer
thanks
Suresh Kumar
"Suresh Singh K." <sureshsingh.keisam@analog.com> wrote:
Hi,
Looks like you are confused. The ISAKMP-SA is the SA created for PHASE
1 . This SA is used
to protect the PHASE 2 (quick mode) traffic and at the end PHASE 2 IPSEC
SAs are created.
Normally PHASE 1 SA database is maintained in user space( assuming
user/kernel space exist).
After PHASE 2 SAs are created, one normally create a PF_KEY socket and use
it to write the IPsec
SAs into the IPsec SAD (SA database). You are right in that PHASE1 SPI is
the concatination of
COOKIE of initiator and responder. Anyhow for PHASE 2 SPI, any unique
random number
generator can be used . Each PHASE 2 consists of two IPsec SAs , inbound
and outbound SA
with unique SPI.
The SPD ( SA Policy Database) is configured differently. Some use
KEYNOTE mechanism. Other
have their own proprietary implementation. For SPD you normally define the
policy based on IPsec
selectors for traffic going out and coming in.
Cheers !
Suresh Singh K.
----- Original Message -----
From: Suresh Kumar
To: ipsec@lists.tislabs.com
Cc: dharkins@cisco.com ; carrel@ipsec.org
Sent: Monday, October 28, 2002 8:06 PM
Subject: ISAKMP-SA & Security Policy
Hello list,
I am a new bee to IPSec. I have learned from reading of IKE-2409 that,
ISAKMP-SA, SPI is an concatination of COOKIE of INitiator and COOKIE of
responder. Does this mean PF_KEY interface is not used to create SPI for
ISAKMP implementation ? Hence there will not any IPSec Policy Set for this
SPI ? and Quick Mode exchange is secured by the Keying Material established
during the 1St Phase ?. All these interpretations are correct ?
Please clarify.
thanks
Suresh.
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
Do you Yahoo!?
HotJobs - Search new jobs daily now