[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Another field for traffic selector?

To: "Derek Atkins" <derek@ihtfp.com>
Subject: RE: Another field for traffic selector?
From: "Cambria, Michael (Michael)" <mcambria@avaya.com>
Date: Fri, 14 Mar 2003 20:44:16 -0500
Cc: <ipsec@lists.tislabs.com>, <radia.perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcLqh7HXgQmK4ayOSjqwcmokWZcqCwACaLag
Thread-Topic: Another field for traffic selector?

Hi,

I used the term IKE tunnel because it was in the original message.  I wasn't 
exactly sure what it meant.

The ability to havie multiple ISAKMP SA's between the two IKE's was the what I 
missed.  Thanks for filling in the blank.

Thanks,
MikeC

-----Original Message-----
From: Derek Atkins [mailto:derek@ihtfp.com]
Sent: Friday, March 14, 2003 7:13 PM
To: Cambria, Michael (Michael)
Cc: ipsec@lists.tislabs.com; radia.perlman@sun.com
Subject: Re: Another field for traffic selector?

"Cambria, Michael (Michael)" <mcambria@avaya.com> writes:

> Hi,
> 
> How would there be 4 IKE tunnels (ISAKMP SAs?) between each IKE entity?

Where do you see the limit on one-and-only-one ISAKMP SA between IP
Address A and IP Address B?  You have different Cookies and SAid's for
the various SAs.  So SA#1 is ID#1, SA#2 is ID#2.  Note that if you DO
have this limitation of only one ISAKMP SA per peer-IP then you cannot
have multiple peers behind the same NAT, because both of them would
have the same IP Address (albeit different UDP Ports).

> I understood the original problem as having only one (physical) FW
> at each end.  Each of these FW's had one IP address into the "cloud"
> network which would be used to connect to the (physical) FW at the
> remote end.  The goal was to have one IKEv2 tunnel over the cloud
> used to setup all the SA's between customer subnets.

You did understand the original problem -- a single gateway with one
physical IP address is handling some meta-IP VPN architecture, and you
want to use IPsec between this gateway and another gateway.

Question: what do you mean by IKEv2 tunnel?  Do you mean one ISAKMP
SA?  Or do you mean one IPsec tunnel?  I presume you mean the former,
but it's unclear due to your improper use of terminology.

Furthermore, I do not recall seeing anyone mention a goal of having
only one IKEv2 SA per pair of PPVPN gateways.  If that is an actual
requirement then yes, we would need to explore an alternate solution.
However I disbelieve that maintaining one more SA is a significant
overhead to support meta-IP tunnels, and it's something that works
without any changes to the IKEv2 or IPsec protocols -- indeed, such an
implementation could be done now and be fully compliant.

So, what's the actual "goal"?  Is the goal to support separate meta-IP
tunnels?  Or to support it with one fewer SA?

> In order to have a FW have 4 identities (and 4 IKE tunnels), would
> IKE need to use different UDP ports between identities or have 4
> different IP addresses (i.e. one per customer) into the cloud?

No, of course not.  You just negotiate multiple ISAKMP SAs with your
peers, one per VPN.  If you're handling 100 VPNs, you have 100 ISAKMP
SAs and 200 IPsec SAs.  Keep in mind that you already need to keep
track of the meta-IP state for each VPN, so you DO already have O(n)
state.

> Am I missing something?

I would say "yes", but I'm not sure what you're missing.  Actually,
what you are probably missing is the fact that somewhere in the IPsec
stack implementation there needs to be an up-call to let the IKE
daemon know which ID needs to be used for a particular negotiation.
But that's a local matter (IMHO) because the upcall for YOUR
implementation does not necessarily need to match the upcall in mine.

(The right place to standardize this particular upcall would be within
a PFkey extension).

> Thanks,
> MikeC

-derek

> 
> -----Original Message-----
> From: Radia Perlman - Boston Center for Networking
> [mailto:Radia.Perlman@sun.com]
> Sent: Friday, March 14, 2003 2:51 PM
> To: Derek Atkins
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Another field for traffic selector?
> 
> 
> Aha. I think Derek's suggestion is a more
> elegant solution to the problem. To explain
> it again just because seeing it explained in different
> words is always helpful,
> to perform VPN service on behalf of four customer
> nets, (C1, C2, C3, C4), firewall n would have
> four identities, say Fn-C1, Fn-C2, Fn-C3, Vn-C4, and
> also have 4 certificates (for each of the identities) and
> form four IKE tunnels. Then which customer
> net the child-SA is for is based on which IKE
> tunnel it was formed under.
> 
> The identities could have the same public key or different
> public keys for the different.
> It don't think it matters.
> 
> Radia
> 
> 
> "Derek Atkins" <derek@ihtfp.com> wrote:
> >Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com> writes:
> >
> >> If there is some way to tell what "wire" things
> >> are coming on, as for instance if they are
> >> different MPLS tunnels, then there's no problem.
> >> But if they are forwarding simply with IP, then
> >> without this way of negotiating on SA creation,
> >> I don't see how the firewalls can do this.
> >
> >Why not just use different identities?
> >
> >The ingres firewall already needs some out-of-band mechanism to know
> >that a packet from 10.0.0.1 is from VPN-1 rather than VPN-2.  It can
> >know this because it's arriving on a different port or a different
> >MPLS tunnel.  Regardless, it doesn't matter, it knows the source.
> >This means that any firewall endpoint must necessarily have some
> >meta-IP method to determine VPNs.
> >
> >If one piece of hardware is acting as an IPsec terminal point, why
> >can't it use a different IKE identity per VPN?  If I want to set up a
> >tunnel for VPN-1, I negotiate an SA for VPN-1 using an IKE ID for
> >VPN-1.
> >
> >A box could internally apply the meta-IP information for SA selection.
> >How this is done does not need to be standardized, IMHO.
> >
> >-derek
> >
> >> Radia
> >> 
> >> "Scott G. Kelly" <scott@airespace.com> wrote:
> >> >I guess I don't see why you can't have multiple tunnels between the
> >> >devices, since the tunnel selectors (the nat'd network addresses) are
> >> >unique. Alternatively, you can use an encapsulation of some sort (GRE,
> >> >UDP, L2TP, etc), which permits unique per-customer selectors. This can
> >> >be done cleanly without modifying the ipsec protocols, can't it?
> >> >
> >> 
> >
> >-- 
> >       Derek Atkins
> >       Computer and Internet Security Consultant
> >       derek@ihtfp.com             www.ihtfp.com
> 
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Prev by Date: Re: Another field for traffic selector?
Next by Date: Re: Another field for traffic selector?
Prev by thread: Re: RE: Another field for traffic selector?
Next by thread: Use of AES as prf in IKEv2
Index(es):
- Date
- Thread