RE: Associating newly created SA bundles with Policies

["Sergey Zakharov" <Sergey.Zakharov@samsung.ru>]

Jeff,

I agree with you, it is necessary to select certain policy in order to
respond to negotiations. But, the only selector we can use in this stage
is IP address of the remote host, isn't it? When I respond to
negotiations I can't determine whether this SA will be used for TCP
traffic or maybe for UDP... 

Thus, I can't understand how to implement the following scenario: 

Between two hosts, I want:
1. All ICMP traffic to be protected with ESP only
2. All TCP traffic to be protected with AH only
3. All UDP traffic to e protected with ESP and AH

In this case all selectors described in 4.4.2 [RFC2401], are unusable
and the single selector becomes only IP address.

Sergey

> -----Original Message-----
> From: jeff pickering [mailto:jeffp@caspiannetworks.com]
> Sent: Wednesday, December 18, 2002 8:44 PM
> To: Sergey Zakharov
> Subject: Re: Associating newly created SA bundles with Policies
> 
> 
> Sergey,
> I would assume that the responder would need to know the appropriate
> policy in order to create the SA(bundle) in the first place, ie its
the
> policy that
> determines acceptable proposals, etc.
> Jeff
> 
> 
> Sergey Zakharov wrote:
> 
> > Hello.
> >
> > The SA bundle was created as a result of IKE negotiations. The host
acts
> > in these negotiations as a responder. Should it associate this
bundle
> > with some policy?
> >
> > If the answer to this question - yes:
> > - If several Policies match this bundle (we can use only IP address
as a
> > selector), it should be associated with all of them? This can cause
some
> > problems (on this host this bundle is associated with multiple
policies,
> > but on the remote host only with single)
> >
> > If the answer - no:
> > - The outbound SA will be never used?
> >
> > Thanks,
> > Sergey Zakharov