[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues

To: Tero Kivinen <kivinen@ssh.fi>
Subject: Re: 2401bis issues
From: Stephen Kent <kent@bbn.com>
Date: Wed, 15 Oct 2003 09:44:09 -0400
Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, ipsec@lists.tislabs.com
In-Reply-To: <16269.5007.212493.86304@ryijy.hel.fi.ssh.com>
References: <200310141632.h9EGWVCI025756@coredump.cs.columbia.edu><p0600200ebbb1e0891e62@[128.89.89.75]><16269.5007.212493.86304@ryijy.hel.fi.ssh.com>
Sender: owner-ipsec@lists.tislabs.com

At 12:29 +0300 10/15/03, Tero Kivinen wrote:
>Stephen Kent writes:
>>  I agree that this is not an interoperability issue, but 2401
>>  established a per-interface SPD requirement and I think we now have
>>  heard from various folks that this is unduly restrictive.
>
>The processing model in RFC2401 is just one example way how to do it,
>and as RFC2401 says, you can implement IPsec processing in a way you
>like, as long as it looks from the outside that it is similar than
>what is described in the RFC2401. If we cannot see the difference of
>those two ways, I do not think we need to change it. Implementators
>who want to implement it that way can already do it, I do not think
>RFC2401 restricts anybody in that way.

correct.

>
>----------------------------------------------------------------------
>4.4 Security Association Databases
>
>    Many of the details associated with processing IP traffic in an IPsec
>    implementation are largely a local matter, not subject to
>    standardization.  However, some external aspects of the processing
>    must be standardized, to ensure interoperability and to provide a
>    minimum management capability that is essential for productive use of
>    IPsec.  This section describes a general model for processing IP
>    traffic relative to security associations, in support of these
>    interoperability and functionality goals.  The model described below
>    is nominal; compliant implementations need not match details of this
>    model as presented, but the external behavior of such implementations
>    must be mappable to the externally observable characteristics of this
>    model.
>----------------------------------------------------------------------
>
>>  So as part of the revised processing model we need to remove the
>>  old, 2401 restriction and explain what the new model does and why.
>
>Does the new processing model require interface selectors or not? Does
>it help describing the processing model if we have interface selectors
>instead of per interface SPD?

when I published my first draft of the new model, it had a way to tag 
a packet with a VID, for forwarding purposes, and because we still 
had a per interface SPD, the VID selected the SPD too. The VID is not 
a selector, per se.  However, as I have listened to comments from 
various folks I am less convinced that we should have per-interface 
SPDs as a basic part of the model. Instead it seems more important to 
have a function to select an appropriate SPD, if more than one is 
needed, and to leave the forwarding decision as a separate matter.

>
>What is the rationale behind this change?

the rationale is that if we do not need to impose the constraint of a 
per-interface SPD, then it should go away, and a more flexible way of 
specifying the SPD should be accommodated, explicitly.

>
>>  >Issues 44 ("forwarding table lookup to select virtual interface ID") and
>>  >        45 ("use of cache with de-correlated SPD")
>>  >are still open, waiting for 2401bis draft.
>>  this will also be covered i the revised model.
>
>I would really like to have that revised model as soon as possible...

me too :-)

>
>>  >Rejected Issue 69 ("Multiple protocols per SPD entry")
>>  >Rationale: This is covered by
>>  >            issue 47 ("all selectors can be a list of ranges, per 
>>IKEv2 spec").
>>
>>  Tero has pointed out in some private e-mail that this
>>  characterization in quotes is not quite right, i.e., IKEv2 does not
>>  work this way!
>
>That was what we were refereing to, i.e while we fix the issue 47, it
>will make clear that we do not need protocol ranges in the SPD, but we
>do need each SPD entry to have list of selector items (source and
>destination ip-address ranges, protocol id, source and destination
>port ranges).

agreed, and thanks for the clarification!

>
>>  So, we are revising the characterization accordingly.
>>  The bottom line is that one can accommodate multiple protocols in a
>>  single SPD entry, because the entry really consists of a list of
>  > selector sets, each set contains S/D IP address range, ONE protocol
>>  (or ANY), and S/D port range.  The "list of ranges" effect is
>>  achieved in that fashion.
>
>Yep, and as this will be taken care of inside the Issue 47, then we
>can reject the issue 69 proposing about the same thing, but
>differently.

OK.

Steve

References:
- 2401bis issues
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
- Re: 2401bis issues
  - From: Stephen Kent <kent@bbn.com>
- Re: 2401bis issues
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: IKEv2 Correction (editorial)
Next by Date: Re: Issue 68 ("VPNs with overlapping IP address ranges")
Prev by thread: Re: 2401bis issues
Next by thread: Re: 2401bis issues
Index(es):
- Date
- Thread