[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: IPsec issue #46 -- No need for nested SAs or SA bundles



>X-Sender: kseo@po2.bbn.com
>Date: Wed, 27 Aug 2003 11:10:02 -0400
>To: ipsec@lists.tislabs.com
>From: Karen Seo <kseo@bbn.com>
>Subject: IPsec issue #46 -- No need for nested SAs or SA bundles
>Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi,
>    kseo@bbn.com
>X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
>Status:  
>
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #:	46
>
>Title:		No need for nested SAs or SA bundles
>
>Description:	There is no mandate to support nested SAs or SA bundles.
>		It would be easy to include support for the simple
>		AH+ESP combination that IKEv1 was able to negotiate, and
>		that 2401 mandates, if that combination is still viewed
>		as needed. However, IKEv1 was not able to negotiate any
>		other nested protocol combinations and IKEv2 does not
>		support negotiation of SA bundles.
>
>Proposed approach:
>
>      1. There will be no support for nesting or SA bundles except via
>	iteration through IPsec processing.  Add text to the discussion
>	of differences between 2401 and 2401bis, along the lines of:
>
>	"The requirement to support nesting of SAs and the concept of
>	SA bundles has been removed. An SPD entry specifies application
>	or removal of only one IPsec header. An implementation MAY
>	choose to offer SA nesting via appropriate configuration of
>	SPDs and forwarding tables. After the packet has passed through
>	IPsec processing, it can be redirected through the IPsec module
>	again via local, ipsec-virtual-interfaces and use of the [still
>	under discussion] forwarding lookup function, to cause more
>	than one layer of IPsec headers to be applied or removed. Note
>	that to accomplish this, multiple entries would have to be
>	created, in distinct SPDs, each specifying a layer of IPsec
>	processing to be applied.  There is no IKE support for
>	negotiating nested SAs, which implies that manual configuration
>	or use of additional policy management protocols would be
>	required to coordinate processing at peer IPsec implementations."
>
>Thank you,
>Karen