[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPsec issue #46 -- No need for nested SAs or SA bundles

To: <ipsec@lists.tislabs.com>
Subject: RE: IPsec issue #46 -- No need for nested SAs or SA bundles
From: "Mohan Parthasarathy" <mohanp@tahoenetworks.com>
Date: Thu, 4 Sep 2003 12:44:41 -0700
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcNxtqhd9Uc+FtNeSZSoZ4LyERTvBwAp1EKAAC+455A=
Thread-Topic: IPsec issue #46 -- No need for nested SAs or SA bundles


> 
> >>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes:
>     Markku> Just a note: my implementation can do nested 
> SA's, assuming you
>     Markku> mean situation where you have an internal node 
> "Another" that
>     Markku> wants IPSEC, but which happens to be behind a 
> security gateway SG:
> 
>     Markku>               SA1
>     Markku> MyNode  <---------------> SG
>     Markku>         <----------------------------------------> Another
>     Markku>               SA2
> 
>   Let me extend this a bit, to make sure we are talking about 
> the same thing.
> 
> SPD:
> 
>          SRCIP     DESTIP       gateway
>   SA1	 MyNode/32 Another/32   SG
>   SA2	 MyNode/32 Another/32   Another
> 
> 
>   FreeS/WAN current can *NOT* handle this. I consider this a 
> serious bug, which I unfortunately, do not have a mandate to 
> fix at this time.
> 
>   I believe that this facility needs to remain in the 
> specification. In particular, when "MyNode" decapsulates, it 
> has to be very careful to avoid loosing any priviledges that 
> SA1 or SA2 might have conveyed, while still protecting things 
> properly.

Yes, please do not remove it from the specification. PANA working group
is trying to use SA bundles. SG above is the local enforcement
point ( e.g.NAS, Access Router) and "Another" could be the SG of your
corporate network for VPN access.

draft-mohanp-pana-ipsec-00.txt explains this in IP-IP transport mode
where
the SA bundles are not required. But with recent discussions in PANA WG,
I am going to go back to tunnel mode SA. At least, this is another
scenario
where this would be useful.

thanks
mohan

> 
> ]      Out and about in Ottawa.    hmmm... beer.              
>   |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON  
>   |net architect[
> ] mcr@sandelman.ottawa.on.ca 
> http://www.sandelman.ottawa.on.ca/ |device > driver[ ] 
> panic("Just another Debian/notebook using, kernel hacking, 
> security guy");  [
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys - custom hacks make this fully PGP2 compat
> 
> iQCVAwUBP1Ubr4qHRg3pndX9AQGLHQQAoxssKgYDj88AimxNbSU9jZGULpv8OjLP
> r8Iyx0klU9SmG2YiEC3aMXZEl5Enu3gXTETPPUy9tPC5n7jbsEqSR5L2BEQFyWdq
> PT1v8MjIDlVlZ5NHnQiKZRzcj7hgvJEBNKfdznkeavVov1yM259Vgjz8af416FKy
> AtiZP3LXaso=
> =hmzS
> -----END PGP SIGNATURE-----
>

Prev by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Next by Date: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Prev by thread: RE: IPsec issue #46 -- No need for nested SAs or SA bundles
Next by thread: Possible missing messages
Index(es):
- Date
- Thread