[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Stephen Kent <kent@bbn.com>, Tero Kivinen <kivinen@iki.fi>, Charles Lynn <clynn@bbn.com>, ipsec@lists.tislabs.com
Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Nicolas Williams <Nicolas.Williams@sun.com>
Date: Fri, 20 Feb 2004 16:29:11 -0600
In-reply-to: <20040220215617.GK6177@binky.central.sun.com>
Mail-followup-to: Stephen Kent <kent@bbn.com>,Tero Kivinen <kivinen@iki.fi>, Charles Lynn <clynn@bbn.com>,ipsec@lists.tislabs.com
References: <20040218161436.9707F2051E@wolfe.bbn.com> <16435.55623.26827.859229@fireball.acr.fi> <p06020402bc59945d05cd@[128.89.89.75]> <16438.958.625838.937789@fireball.acr.fi> <p06020403bc5bcc947dc8@[128.89.89.75]> <20040220175458.GC6177@binky.central.sun.com> <p06020412bc5c0ba2452b@[128.89.89.75]> <20040220200336.GF6177@binky.central.sun.com> <p0602041cbc5c26b99e65@[128.89.89.75]> <20040220215617.GK6177@binky.central.sun.com>
Sender: owner-ipsec@lists.tislabs.com
User-agent: Mutt/1.4i

On Fri, Feb 20, 2004 at 03:56:17PM -0600, Nicolas Williams wrote:
> I'd better read Charlie Lynn's proposal now :)

IIUC Charlie Lynn's proposal is to assign one SA to protect all
fragments even though multiple SAs may be used for different ports, yes?

I think this defeats the notion of having SGs with SPD entries with port
selectors where the different SAs for the same SA end-points have
effectively different IDs (e.g., different userFqdn IDs), though this
can be mitigated.  Presumably such cases involve a multi-user end-point
and this multi-user end-point runs trusted code (i.e., its OS kernel)
and may even have a host cert/key; using an SA whose ID corresponds to
the host for protecting the fragments would be a fine mitigation, as
would multiply-authenticating[*] the SA for carrying fragments (as long
as the trusted code in the end-point protects its DH private numbers and
SA keys from its users).

As compared to Tero's proposal (and with my comments) this is a lighter
weight solution -- setting up an SA and adding an SPD entry may be a
burden, but that would be less than the burden of keeping initial
fragment selector/ID cache (see previous post).

[*]  Is it possible to run multiple AUTH exchanges for a single IKE_SA
     with different certs?  Obviously the IKE_SA can only have one
     IDi/IDr...

Nico
--

References:
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Charles Lynn <clynn@bbn.com>
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

Prev by Date: RE: Traffic Selectors (was SA fragments)
Next by Date: RE: Traffic Selectors (was SA fragments)
Previous by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread