[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Michael Thomas <mat@cisco.com>
Subject: Re: Adding revised identities to IKEv2
From: Stephen Kent <kent@bbn.com>
Date: Mon, 18 Nov 2002 09:35:38 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <15829.19435.623711.682955@thomasm-u1.cisco.com>
References: <200211151352.gAFDqite016645@givry.rennes.enst-bretagne.fr><3DD17A5E.E2C8B38A@lucent.com><5.2.0.9.0.20021115140010.00a97298@nwimap.wh.lucent.com><15829.19435.623711.682955@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 11:32 AM -0800 11/15/02, Michael Thomas wrote:
>Uri Blumenthal writes:
>  > At 10:35 11/15/2002 -0800, Michael Thomas wrote:
>  > >1) Credentials are verified, 2) Authorization is applied given 
>the policy in
>  > >the SPD -- for IPsec, this means setting up ... parameters on the receiver
>  > >  side...*may*  or *may* *not* have anything to do with the 
>source IP address
>  > >3) packets are ....checked, classified and run through ......#2........
>  > >
>  > >All of this should be *independent* of the IP address the key management
>  > >protocol is being run on, and in fact should be completely separable.
>  >
>  > Ah, with this I agree. I think you mean: not IP address but SA itself is
>  > validated
>  > by crypto signatures. That's fine.
>  >
>  > Except that to the best of my knowledge, IP addresses are part of SA
>  > information,
>  > i.e. filtering is done NOT based solely on SPI...
>
>To be pedantic...
>
>There are two things going on: first is SADB
>lookup for the incoming packet. I believe that
>Steve a while back said that it is currently
>SPI+DSTaddr, but that in revisions it would only
>be SPI unless DSTaddr is a multicast address in
>which case it would be SPI+DSTaddr as now. There's
>never been a requirement for SRCaddr that I'm
>aware of if implementations (mistakenly, IMO)
>often do use it as part of the lookup operation.

right.

>
>The second is the classification/filtering
>operation after the packet is integrity checked.
>This is just the normal 5-tuple filtering which
>may or may not pay attention to the source address
>(ie, it could be wildcarded).

in principle the SPD entry for this SA might wild card the source 
address, but in practice we create pairs of SAs and the IP address 
for outbound traffic in the matching SA must be constrained in some 
fashion, typically by specifying a single IP address or address range 
(or mask), to ensure that all traffic destined to a host or set of 
hosts is mapped to an SA that terminates at an IPsec implementation 
serving that host or set of hosts.


Steve

Follow-Ups:
- Re: Adding revised identities to IKEv2
  - From: Michael Thomas <mat@cisco.com>

References:
- Re: Adding revised identities to IKEv2
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>
- Re: Adding revised identities to IKEv2
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: FQDN goes in commonName or domainComponent?
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread