[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on SA Bundle
> From: Stephen Kent <kent@bbn.com>
>
> I guess I don't really understand your motivation for not having IKE
> convey the policy info from the SPDs to avoid future problems. Do you
> envision other ways to convey this data, or do you not believe that
> it is worthwhile to avoid the sort of problems noted above?
The current IPSEC/IKE architecture seems to be something like
+-------------------------+
| TCP/IP Stack + |
| IPSEC processing |
| ^ (AH/ESP/RFC-2401) |
+---|----------|----------+
| | Key API
| |
Policy ---> IKE
I believe the "Policy --> IKE" link should not be there (not for
PHASE2 SA's at least). For IKE all that is needed, is KEY API.
This would be simpler architeru, with clean interfaces between
modulesK:
+-------------------------+
| TCP/IP Stack + |
| IPSEC processing |
| ^ (AH/ESP/RFC-2401) |
+---|----------|----------+
| | Key API
| |
Policy IKE
IPSEC asks the keys via Key API (in my case, this is PFKEYv2). The
"ACQUIRE" just contains the requested TS parameters.
With this architecture, building IKE and IPSEC can be done
independently. If you have two IPSEC implementations for the host, you
could swap IKE implementations freely between them, and still have a
working system.