[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #46 -- No need for nested SAs or SA bundles

To: Stephen Kent <kent@bbn.com>
Subject: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Date: Tue, 02 Sep 2003 13:44:43 -0400
Cc: Karen Seo <kseo@bbn.com>, ipsec@lists.tislabs.com, kivinen@ssh.fi
In-reply-to: Your message of "Tue, 02 Sep 2003 13:33:37 EDT." <p05210609bb7a7f1d7736@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com


OK, thanks for the clarification. Since most of the implementations supporting
2401bis in the near future will be based on existing 2401-compliant
implementations, I think 2401bis should avoid language that prohibits support
for bundling. One approach may be to pretend it's not there, and have an
1-paragraph appendix saying "if you did SA bundling, you don't *have* to
remove it".

Cheers,
-Angelos

In message <p05210609bb7a7f1d7736@[128.89.89.75]>, Stephen Kent writes:
>At 13:06 -0400 9/2/03, Angelos D. Keromytis wrote:
>>Now you know why I went into CS and not English lit :-)
>>
>>Let me decode the sentence: under the current IPsec architecture, it is
>>possible
>>for a host to build a sequence of nested IPsec tunnels iteratively, i.e.,
>>simply
>>by setting up the appropriate SPD entries, and then letting IKE set 
>>up the SAs.
>>My initial impression is that this is not possible under the new model ?
>>Cheers,
>>-Angelos
>>
>
>OK, now I understand your concern. The proposed text does not 
>preclude support for nested tunnels, but it does not mandate such 
>support either. 2401 mandated such support, but I think that in 
>practice support was not present for nesting, except in the simplest 
>case of AH + ESP negotiated at the same time by IKE. So, in reality, 
>the mandated support did not exist in practice in most (any?) 
>mainstream IPsec implementations.
>
>I think we agree that since IKE cannot negotiate nesting in general, 
>that some external means would be needed to cause nested tunnels to 
>come into existence, and to be used. In the proposed processing model 
>one might use VIDs to cause a packet to loop through multiple passes 
>of the IPsec engine. I'm guessing that IPSP might deal with the issue 
>of how IKE is directed to create the multiple SAs.
>
>Since we have had no strong support for nesting expressed on the 
>list, I think it appropriate to remove the mandated support, but 
>still have a way to achieve the effect, if there is a push for it in 
>the future. 2401bis does remove the notion of bundled SAs in the SPD, 
>but since we seem to agree that a higher level policy management 
>protocol is needed to make this happen, it seems reasonable to 
>express the bundling in that protocol. The result is that an 
>implementation that supports IPsec and IKE will be simpler, not 
>burdened with any explicit support for expressing nesting, but 
>capable of effecting nesting if so directed.
>
>Steve

Follow-Ups:
- Re: IPsec issue #46 -- No need for nested SAs or SA bundles
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Next by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Prev by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Next by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Index(es):
- Date
- Thread