[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: IPsec issue #46 -- No need for nested SAs or SA bundles
>X-Sender: kseo@po2.bbn.com
>Date: Wed, 27 Aug 2003 11:10:02 -0400
>To: ipsec@lists.tislabs.com
>From: Karen Seo <kseo@bbn.com>
>Subject: IPsec issue #46 -- No need for nested SAs or SA bundles
>Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi,
> kseo@bbn.com
>X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
>Status:
>
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #: 46
>
>Title: No need for nested SAs or SA bundles
>
>Description: There is no mandate to support nested SAs or SA bundles.
> It would be easy to include support for the simple
> AH+ESP combination that IKEv1 was able to negotiate, and
> that 2401 mandates, if that combination is still viewed
> as needed. However, IKEv1 was not able to negotiate any
> other nested protocol combinations and IKEv2 does not
> support negotiation of SA bundles.
>
>Proposed approach:
>
> 1. There will be no support for nesting or SA bundles except via
> iteration through IPsec processing. Add text to the discussion
> of differences between 2401 and 2401bis, along the lines of:
>
> "The requirement to support nesting of SAs and the concept of
> SA bundles has been removed. An SPD entry specifies application
> or removal of only one IPsec header. An implementation MAY
> choose to offer SA nesting via appropriate configuration of
> SPDs and forwarding tables. After the packet has passed through
> IPsec processing, it can be redirected through the IPsec module
> again via local, ipsec-virtual-interfaces and use of the [still
> under discussion] forwarding lookup function, to cause more
> than one layer of IPsec headers to be applied or removed. Note
> that to accomplish this, multiple entries would have to be
> created, in distinct SPDs, each specifying a layer of IPsec
> processing to be applied. There is no IKE support for
> negotiating nested SAs, which implies that manual configuration
> or use of additional policy management protocols would be
> required to coordinate processing at peer IPsec implementations."
>
>Thank you,
>Karen