[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec SAs

To: "George Hadjichristofi" <ghadjich@vt.edu>
Subject: Re: ipsec SAs
From: Stephen Kent <kent@bbn.com>
Date: Fri, 18 Jul 2003 18:01:34 -0400
Cc: "Ipsec" <ipsec@lists.tislabs.com>
In-Reply-To: <NGBBJKFPKLLPDJAPGACCEEEFDKAA.ghadjich@vt.edu>
References: <NGBBJKFPKLLPDJAPGACCEEEFDKAA.ghadjich@vt.edu>
Sender: owner-ipsec@lists.tislabs.com

At 12:07 -0400 7/18/03, George Hadjichristofi wrote:
>Hi,
>
>I have a question about IPSec SAs.
>
>There is a nework such as:
>A----Gateway1 ===tunnel====Gateway2 ----B
>
>A and B are the subnets.
>Gateway 1 and 2 negotiate a tunnel such that A can communicate securely with
>B.
>
>Based on RFC2401, does that mean that A will only be able to talk to B and
>no other nodes on the network, or just that it will talk to B via a secure
>tunnel and to everybody else in cleartext?
>
>Should A be able to talk to Gateway2?
>
>Thank you
>George
>

The scenario in your diagram is common. The administrators for the 
security gateways decide whether the tunnel that is created between 
them will carry all traffic between any two hosts on the subnets 
behind them, or just traffic between A & B, or even whether a 
separate tunnel is created for each different connection between A & 
B, etc.  Depending on how these administrators choose to define the 
SPD entries for communication between these two subnets, there are 
lots of possibilities.

You ask whether A should be able to talk to  Gateway 2. Again, this 
will be a function of the SPD entries.

Steve

References:
- ipsec SAs
  - From: "George Hadjichristofi" <ghadjich@vt.edu>

Prev by Date: Re: ipsec SAs
Next by Date: Re: revised IPsec processing model
Prev by thread: Re: ipsec SAs
Next by thread: Re: ipsec SAs
Index(es):
- Date
- Thread