[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Remote access]: Find the right SA on outbound processing
Hi folks,
I found out a problem (maybe) in locating the right outbound
SA in the SAD in the case of remote access and appreciate any feedback
from the group.
Let's suppose we have a SGW (Security Gateway) with the following SPD
(C_NET is the corporate net i.e., 192.168.0.0/16)
s_addr=any d_addr=C_NET proto=any dir=inbound IPSEC ESP/Tunnel
s_addr=C_NET d_addr=any proto=any dir=outbound IPSEC ESP/Tunnel
So the SGW requires that all traffic must be carried by ESP/Tunnel SA.
Now a remote host (say it is addressable at HOSTA) wants to access to
the corporate network.
HOSTA initiates an IKEv2 handshake with the SGW.
Because HOSTA requires configuration (via the CP -Configuration
Payload-), SGW will send CP with inside the IP address the remote host
must use as the inner header's IP source address (for example 192.168.10.1).
After negotiating the SAs (one per direction) HOSTA's and SGW's SAD
will be:
[d_addr/ SPI /proto] (SA's specific material)
[HOSTA /SPI_A/ ESP ] (SA's specific material)
[SGW /SPI_B/ ESP ] (SA's specific material)
At this point another remote host (say it is addressable at HOSTB) wants
to gain access to the corporate network.
HOSTB initiates an IKEv2 handshake with the SGW, and because it requires
configuration will send CP to the SGW requiring a valid inner header's
Source IP address. SGW will respond with this information (for example
192.168.10.2).
After this second negotiation SGW's SAD will be:
[d_addr/ SPI /proto] (SA's specific material)
1 - [HOSTA /SPI_A/ ESP ] (SA's specific material)
2 - [SGW /SPI_B/ ESP ] (SA's specific material)
3 - [HOSTB /SPI_C/ ESP ] (SA's specific material)
4 - [SGW /SPI_D/ ESP ] (SA's specific material)
Now HOSTC, in the corporate network, wants to send a packet to
192.168.10.2. This packet will be sent to the SGW.
SGW will match packet's selectors against outbound SPD and these will
match the only rule in the SPD (outbound) which will point to two
different SAs in the SAD (1 & 3). However SGW does not have any
information (in the SAD) to select the right one.
Is this right? Or there is something I'm missing?
A trick to avoid the problem is to make one SPD entry per peer:
(SGW SPD)
s_addr=192.168.10.1 d_addr=any proto=any dir=inbound IPSEC ESP/Tunnel
s_addr=192.168.10.2 d_addr=any proto=any dir=inbound IPSEC ESP/Tunnel
s_addr=192.168.10.3 d_addr=any proto=any dir=inbound IPSEC ESP/Tunnel
...
...
...
s_addr=any d_addr=192.168.10.1 proto=any dir=outbound IPSEC ESP/Tunnel
s_addr=any d_addr=192.168.10.2 proto=any dir=outbound IPSEC ESP/Tunnel
s_addr=any d_addr=192.168.10.3 proto=any dir=outbound IPSEC ESP/Tunnel
...
...
...
However this solution make the SPD become bigger and bigger.
Another kind of solution, will be to put the assigned IP address (inner
header's IP) in the SAD.
[outer d_addr/inner d_addr/SPI/proto] (SA's specific material)
1 - [HOSTA /192.168.10.1/SPI_A/ ESP ] (SA's specific material)
2 - [SGW / SGW /SPI_B/ ESP ] (SA's specific material)
3 - [HOSTB /192.168.10.2/SPI_C/ ESP ] (SA's specific material)
4 - [SGW / SGW /SPI_D/ ESP ] (SA's specific material)
Any other ideas?
--
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
------------------------------------------------