[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on SA Bundle

To: kent@bbn.com
Subject: Re: Question on SA Bundle
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Mon, 14 Apr 2003 22:36:50 +0300
CC: ipsec@lists.tislabs.com
In-reply-to: <p05100329baba50233f80@[128.89.88.34]> (message from Stephen Kenton Wed, 9 Apr 2003 18:34:03 -0400)
References: <p05100329baba50233f80@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Back to bundle issue, why I want "bundle" to be a rather loose concept:

 - bundle is just a collection of SA's that are required

You ignored my example from MIPv6. As I earlier presented

1) MN is at home, talks to CN. CN could be web server or mailbox that
   requires some IPSEC for access. We have policy

   remote CN -> CN-SA()

2) MN moves away from home. Suddenly MN needs IPSEC with HA agent

   remote HA -> HA-SA()

3) MN still wants to communicate with CN. MIPv6 calls for tunneling
   the traffic via HA. From IPSEC viewpoint HA is like a SG, and the
   whole internet is the protected network.

   Now, the packets at MN need to look like

   Outgoing:             Incoming:
   ---------             ---------
   IP: dst=HA            dst=COA
       src=COA           src=HA
       IPSEC with HA-SA  IPSEC with HA-SA
   IP: dst=CN            dst=HOME
       src=HOME          src=CN
       IPSEC with CN-SA  IPSEC with CN-SA
       Payload           Payload

SOMEHOW, above MUST be achieved. Surely there are many ways. BUT, in
MY IPSEC policy I could express the requirement and rule to achieve
above as (roughly, not going here into detail of how I separate "at
home" and "at away", trust me I can do it :-)

   remote CN -> CN-SA(), HA-SA(tunnel to HA)

I don't want this solution to become "non-conformant". It works for
me!

Now, this looks like a "bundle": a selector and two SA's, and this is
how it's handled in IPSEC packet processing. Packets matching "remote
CN" must have both CN-SA and HA-SA(tunnel) successfully applied for
incoming and outgoing.

However, as far as key management (IKEv1 or IKEv2) are concerned, this
is really two different Phase1 associations, one negotiated between
HOME and CN, and other negotiated between HOME and HA.

------------

Above is prime example why I don't like IKE (or any key management) to
mess/check policy in phase2. Policy is just too complex for them to
handle. I want to be able to work on policy definitions and
echancements independently of key negotiation implementation.

Similar example can occur even without mobile IP, say

      |
   A -|--- SG ====== B

where A has some highly classified data. You don't want to pass it
clear, even within internal net. Thus any communication with A needs
IPSEC. Now, if B wants to access A outside, it needs IPSEC with SG and
A simultaneously!

Follow-Ups:
- Re: Question on SA Bundle
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Question on SA Bundle
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Next by Date: Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Prev by thread: Re: Question on SA Bundle
Next by thread: Re: Question on SA Bundle
Index(es):
- Date
- Thread