[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue #82: Creation of SAs -- clarifications

To: Tero Kivinen <kivinen@ssh.fi>
Subject: Re: Issue #82: Creation of SAs -- clarifications
From: Stephen Kent <kent@bbn.com>
Date: Tue, 14 Oct 2003 17:19:49 -0400
Cc: ipsec@lists.tislabs.com, "Angelos D. Keromytis" <angelos@cs.columbia.edu>, Barbara Fraser <byfraser@cisco.com>, "Theodore Ts'o" <tytso@mit.edu>, Karen Seo <kseo@bbn.com>
In-Reply-To: <16268.5342.104995.706128@ryijy.hel.fi.ssh.com>
References: <16268.5342.104995.706128@ryijy.hel.fi.ssh.com>
Sender: owner-ipsec@lists.tislabs.com

At 18:23 +0300 10/14/03, Tero Kivinen wrote:
>Parsing this text took quite a long time for me. I finally think I
>managed to understand what it is trying to say, but I think the actual
>text added to the final document must explain the things more clearly.

we'll try to rephrase, to make this complex topic clearer. I admit it 
was badly done in 2401 and we're trying to do a better job this time.

>
>So my understanding of the issue is that this changes the text which
>says that we can create SAs selectors based on the packet or based on
>the SPD to text which says that we can create SA selectors based on
>the packet or based on the SPD, or something between.

the goal is to allow an SAD entry and an SPD cache entry to be 
created based on selector values from the packet that triggered the 
creation of the SA. This facility was supposed to be described in 
2401, but I think it was even less clear there :-)

>I.e in addition to only take selectors from the packet implementations
>are allowed to expand them towards to the SPD selectors as much as
>they like.

I don't understand these words.  Let me try again.

For each selector in the SPD, in addition to the literal values that 
define a match, we have defined special values, e.g., ANY and 
OPAQUE. We're saying there is another special value, PFP (populate 
from packet) that indicates the SPD entry matches any value for this 
selector, but wants a new SA created with the value from that 
selector field in the packet header to be used in creating the new SA.

>Orginal case a) allowed only very specific SA selectors based on the
>packet itself. The original case b) takes the SA selectors from the
>SPD. The current IKEv2 approach is that we take the selectors from the
>packet and select the SPD which matches to them and then create SA
>that is either that SPD or any subset of it, as long as the packet
>itself fits to that subset.

IKE is invoked with a set of SPD selector values. In the case of a 
PFP selector, what IKE sees is the SPD entry with the selector field 
extracted from the packet, as opposed to a value from the SPD.

Does this help?

Steve

Follow-Ups:
- Re: Issue #82: Creation of SAs -- clarifications
  - From: Tero Kivinen <kivinen@ssh.fi>

References:
- Issue #82: Creation of SAs -- clarifications
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding
Next by Date: Re: IKEv2 Correction (editorial)
Prev by thread: Issue #82: Creation of SAs -- clarifications
Next by thread: Re: Issue #82: Creation of SAs -- clarifications
Index(es):
- Date
- Thread