[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: typical IPsec-based VPNs incl. modecfg vs. DHCP

To: Stephen Kent <kent@bbn.com>
Subject: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
From: "Scott G. Kelly" <scott@airespace.com>
Date: Thu, 13 Feb 2003 14:29:07 -0800
CC: BSingh@Nomadix.com, Francis.Dupont@enst-bretagne.fr, ipsec@lists.tislabs.com
Organization: airespace
References: <89680B404BA1DD419E6D93B28B41899BE9FC88@01mail.nomadix.com> <3E483959.5D2D8DF1@airespace.com> <p05100316ba71c5aeec31@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Hi Steve,

Comments below...

Stephen Kent wrote:
<trimmed...> 
> >I think RFC2401 is quite explicit about what selectors are used in SPD
> >lookups. Based on this, the virtual interface approach suffers from (at
> >least) two problems: first, routing lookups are most specific to least
> >specific (i.e. "best match"), meaning the administrator may not be able
> >to strictly control the ordering of SPD elements. Secondly, it does not
> >support protocol and/or ports as selectors.
> >
> >Scott
> 
> The notion that I've been developing for separating routing from
> access control in IPsec, and which was discussed among a set of folks
> interested in overlay nets and PPVPNs, is to make a call to a routing
> function prior to SPD lookup. The function would return a virtual
> interface ID (VID) and that can be used to select an SPD if one has a
> set of SPDs, one per virtual interface.  In a very simple context
> this call always returns the same VID and there is only one SPD. In a
> more complex environment the function returns meaningfully different
> results, and one can have multiple SPDs, or one SPD in which the VID
> is yet another selector (if you want to think of it that way).
> 
> Steve

As a matter of clarification, the "virtual interfaces" I refer to above
are also called "tunnel interfaces" in some implementations. I saw some
early open source ipsec implementations which used this approach (maybe
bsd-based). Basically, a tunnel is established, and then the tunnel is
treated as an interface (a virtual interface). There is no SPD/SAD
selection, per se; rather, a standard routing lookup determines which
interface a packet exits via, and ipsec tunnels have vif entries in the
routing table, making them look like "exit interfaces".

In such cases, no SPD entries are consulted following the routing
lookup, and the routing table (effectively) becomes the SAD/SPD. I think
this has obvious issues in terms of satisfying the selector criteria you
outlined in RFC2401, for the reasons I enumerated above. 

I also think this is significantly different than what you are referring
to above (the design you are developing), and I think you refer to the
same sort of design I described as having implemented in order to
support independent, per-interface policies. I hope you didn't think I
intended to criticize your approach. On the contrary, I think this model
is very powerful.

Scott

Follow-Ups:
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: Stephen Kent <kent@bbn.com>
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: Derek Atkins <derek@ihtfp.com>

References:
- RE: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: BSingh@Nomadix.com
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: "Scott G. Kelly" <scott@airespace.com>
- Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Next by Date: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Prev by thread: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Next by thread: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Index(es):
- Date
- Thread