[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Remote access]: Find the right SA on outbound processing



Hi folks,
          I found out a problem (maybe) in locating the right outbound 
SA in the SAD in  the case of remote access and appreciate any feedback 
from the group.


Let's suppose we have a SGW (Security Gateway) with the following SPD
(C_NET is the corporate net i.e., 192.168.0.0/16)

s_addr=any d_addr=C_NET proto=any dir=inbound  IPSEC ESP/Tunnel
s_addr=C_NET d_addr=any proto=any dir=outbound IPSEC ESP/Tunnel

So the SGW requires that all traffic must be carried by ESP/Tunnel SA.
Now a remote host (say it is addressable at HOSTA) wants to access to 
the corporate network.
HOSTA initiates an IKEv2 handshake with the SGW.
Because HOSTA requires configuration (via the CP -Configuration 
Payload-), SGW will send CP with inside the IP address the remote host 
must use as the inner header's IP source address (for example 192.168.10.1).

After negotiating the SAs (one per direction) HOSTA's and  SGW's SAD 
will be:
[d_addr/ SPI /proto] (SA's specific material)
[HOSTA /SPI_A/ ESP ] (SA's specific material)
[SGW   /SPI_B/ ESP ] (SA's specific material)

At this point another remote host (say it is addressable at HOSTB) wants 
to gain access to the corporate network.
HOSTB initiates an IKEv2 handshake with the SGW, and because it requires 
configuration will send CP to the SGW requiring a valid inner header's 
Source IP address. SGW will respond with this information (for example 
192.168.10.2).

After this second negotiation SGW's SAD will be:
[d_addr/ SPI /proto] (SA's specific material)
1 - [HOSTA /SPI_A/ ESP ] (SA's specific material)
2 - [SGW   /SPI_B/ ESP ] (SA's specific material)
3 - [HOSTB /SPI_C/ ESP ] (SA's specific material)
4 - [SGW   /SPI_D/ ESP ] (SA's specific material)

Now HOSTC, in the corporate network, wants to send a packet to 
192.168.10.2. This packet will be sent to the SGW.
SGW will match packet's selectors against outbound SPD and these will 
match the only rule in the SPD (outbound) which will point to two 
different SAs in the SAD (1 & 3). However SGW does not have any 
information (in the SAD) to select the right one.


Is this right? Or there is something I'm missing?


A trick to avoid the problem is to make one SPD entry per peer:
(SGW SPD)

s_addr=192.168.10.1 d_addr=any proto=any dir=inbound  IPSEC ESP/Tunnel
s_addr=192.168.10.2 d_addr=any proto=any dir=inbound  IPSEC ESP/Tunnel
s_addr=192.168.10.3 d_addr=any proto=any dir=inbound  IPSEC ESP/Tunnel
...
...
...

s_addr=any d_addr=192.168.10.1 proto=any dir=outbound IPSEC ESP/Tunnel
s_addr=any d_addr=192.168.10.2 proto=any dir=outbound IPSEC ESP/Tunnel
s_addr=any d_addr=192.168.10.3 proto=any dir=outbound IPSEC ESP/Tunnel
...
...
...

However this solution make the SPD become bigger and bigger.
Another kind of solution, will be to put the assigned IP address (inner 
header's IP) in the SAD.

[outer d_addr/inner d_addr/SPI/proto] (SA's specific material)
1 - [HOSTA /192.168.10.1/SPI_A/ ESP ] (SA's specific material)
2 - [SGW   /    SGW     /SPI_B/ ESP ] (SA's specific material)
3 - [HOSTB /192.168.10.2/SPI_C/ ESP ] (SA's specific material)
4 - [SGW   /    SGW     /SPI_D/ ESP ] (SA's specific material)

Any other ideas?

-- 
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
------------------------------------------------