[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Just to start some discussion on this issue: wouldn't this break (or make it
very difficult) for IPSP to deal with intermediate gateways etc. ? The
advantage
of the current model with respect to nested IPsec processing is that it allows
an implementation to inject a new SPD entry (and associated SAs), and not
having
to link that SA to a bundle but instead deal with the SPD.
-Angelos
In message <p05200f16bb72791c0917@[128.89.89.115]>, Karen Seo writes:
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #: 46
>
>Title: No need for nested SAs or SA bundles
>
>Description: There is no mandate to support nested SAs or SA bundles.
> It would be easy to include support for the simple
> AH+ESP combination that IKEv1 was able to negotiate, and
> that 2401 mandates, if that combination is still viewed
> as needed. However, IKEv1 was not able to negotiate any
> other nested protocol combinations and IKEv2 does not
> support negotiation of SA bundles.
>
>Proposed approach:
>
> 1. There will be no support for nesting or SA bundles except via
> iteration through IPsec processing. Add text to the discussion
> of differences between 2401 and 2401bis, along the lines of:
>
> "The requirement to support nesting of SAs and the concept of
> SA bundles has been removed. An SPD entry specifies application
> or removal of only one IPsec header. An implementation MAY
> choose to offer SA nesting via appropriate configuration of
> SPDs and forwarding tables. After the packet has passed through
> IPsec processing, it can be redirected through the IPsec module
> again via local, ipsec-virtual-interfaces and use of the [still
> under discussion] forwarding lookup function, to cause more
> than one layer of IPsec headers to be applied or removed. Note
> that to accomplish this, multiple entries would have to be
> created, in distinct SPDs, each specifying a layer of IPsec
> processing to be applied. There is no IKE support for
> negotiating nested SAs, which implies that manual configuration
> or use of additional policy management protocols would be
> required to coordinate processing at peer IPsec implementations."
>
>Thank you,
>Karen