[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #46 -- No need for nested SAs or SA bundles

To: Karen Seo <kseo@bbn.com>
Subject: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Date: Fri, 29 Aug 2003 19:39:59 -0400
Cc: ipsec@lists.tislabs.com, kivinen@ssh.fi
In-reply-to: Your message of "Wed, 27 Aug 2003 11:10:02 EDT." <p05200f16bb72791c0917@[128.89.89.115]>
Sender: owner-ipsec@lists.tislabs.com


Just to start some discussion on this issue: wouldn't this break (or make it
very difficult) for IPSP to deal with intermediate gateways etc. ? The 
advantage
of the current model with respect to nested IPsec processing is that it allows
an implementation to inject a new SPD entry (and associated SAs), and not 
having
to link that SA to a bundle but instead deal with the SPD.
-Angelos

In message <p05200f16bb72791c0917@[128.89.89.115]>, Karen Seo writes:
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #:	46
>
>Title:		No need for nested SAs or SA bundles
>
>Description:	There is no mandate to support nested SAs or SA bundles.
>		It would be easy to include support for the simple
>		AH+ESP combination that IKEv1 was able to negotiate, and
>		that 2401 mandates, if that combination is still viewed
>		as needed. However, IKEv1 was not able to negotiate any
>		other nested protocol combinations and IKEv2 does not
>		support negotiation of SA bundles.
>
>Proposed approach:
>
>      1. There will be no support for nesting or SA bundles except via
>	iteration through IPsec processing.  Add text to the discussion
>	of differences between 2401 and 2401bis, along the lines of:
>
>	"The requirement to support nesting of SAs and the concept of
>	SA bundles has been removed. An SPD entry specifies application
>	or removal of only one IPsec header. An implementation MAY
>	choose to offer SA nesting via appropriate configuration of
>	SPDs and forwarding tables. After the packet has passed through
>	IPsec processing, it can be redirected through the IPsec module
>	again via local, ipsec-virtual-interfaces and use of the [still
>	under discussion] forwarding lookup function, to cause more
>	than one layer of IPsec headers to be applied or removed. Note
>	that to accomplish this, multiple entries would have to be
>	created, in distinct SPDs, each specifying a layer of IPsec
>	processing to be applied.  There is no IKE support for
>	negotiating nested SAs, which implies that manual configuration
>	or use of additional policy management protocols would be
>	required to coordinate processing at peer IPsec implementations."
>
>Thank you,
>Karen

Follow-Ups:
- Re: IPsec issue #46 -- No need for nested SAs or SA bundles
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Prev by thread: IPsec issue #47 -- selectors can be a list of ranges
Next by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Index(es):
- Date
- Thread