[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec issue #46 -- No need for nested SAs or SA bundles
OK, thanks for the clarification. Since most of the implementations supporting
2401bis in the near future will be based on existing 2401-compliant
implementations, I think 2401bis should avoid language that prohibits support
for bundling. One approach may be to pretend it's not there, and have an
1-paragraph appendix saying "if you did SA bundling, you don't *have* to
remove it".
Cheers,
-Angelos
In message <p05210609bb7a7f1d7736@[128.89.89.75]>, Stephen Kent writes:
>At 13:06 -0400 9/2/03, Angelos D. Keromytis wrote:
>>Now you know why I went into CS and not English lit :-)
>>
>>Let me decode the sentence: under the current IPsec architecture, it is
>>possible
>>for a host to build a sequence of nested IPsec tunnels iteratively, i.e.,
>>simply
>>by setting up the appropriate SPD entries, and then letting IKE set
>>up the SAs.
>>My initial impression is that this is not possible under the new model ?
>>Cheers,
>>-Angelos
>>
>
>OK, now I understand your concern. The proposed text does not
>preclude support for nested tunnels, but it does not mandate such
>support either. 2401 mandated such support, but I think that in
>practice support was not present for nesting, except in the simplest
>case of AH + ESP negotiated at the same time by IKE. So, in reality,
>the mandated support did not exist in practice in most (any?)
>mainstream IPsec implementations.
>
>I think we agree that since IKE cannot negotiate nesting in general,
>that some external means would be needed to cause nested tunnels to
>come into existence, and to be used. In the proposed processing model
>one might use VIDs to cause a packet to loop through multiple passes
>of the IPsec engine. I'm guessing that IPSP might deal with the issue
>of how IKE is directed to create the multiple SAs.
>
>Since we have had no strong support for nesting expressed on the
>list, I think it appropriate to remove the mandated support, but
>still have a way to achieve the effect, if there is a push for it in
>the future. 2401bis does remove the notion of bundled SAs in the SPD,
>but since we seem to agree that a higher level policy management
>protocol is needed to make this happen, it seems reasonable to
>express the bundling in that protocol. The result is that an
>implementation that supports IPsec and IKE will be simpler, not
>burdened with any explicit support for expressing nesting, but
>capable of effecting nesting if so directed.
>
>Steve