[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] IPsec AH and ESP -- changes



Markku Savela wrote:

>>From: Brian Weis <bew@cisco.com>
>>    
>>
>
>  
>
>> From my recollection, the rationale was that a single key server would 
>>likely be choosing SPIs for a single {source addr, destination addr} 
>>pair.  That key server could probably be trusted to not choose the same 
>>SPI for both an AH and ESP SA matching that flow. Therefore keeping the 
>>protocol in the SA lookup was seen as unnecessary.
>>
>>You're right though, it does special case the SA lookup logic. If the 
>>protocol were optionally included in the multicast SA lookup as well as 
>>the unicast SA lookup, the semantics would be consistent. This might 
>>simplify the implementation of an SA lookup. I.e.,
>>
>>  unicast: {SPI, [protocol]}
>>  ASM multicast: {SPI, destination, [protocol]}
>>  SSM multicast: {SPI, destination, source, [protocol]}
>>    
>>
>
>There is no point in talking about "optional protocol". You MUST check
>the protocol anyway, as you are ALWAYS looking either AH or ESP.
>
>  
>
Recall that with unicast SAs (negotiated with IKE)  IPsec chooses the 
SPIs for incoming SAs. Some IPsec implementations have been careful to 
choose unique SPIs for all SAs, so that in no case will they have an AH 
and ESP SA with the same SPI. They then  simplified their SA lookup to 
use just the SPI. In the new  ESP and AH drafts the authors recognized 
this, and made the protocol an optional part of the lookup for unicast SAs.

Brian

>If you have AH header at hand, and look for SA using SPI only, it is
>not very helpful, if you find ESP SA. Multicast does not change this
>in any way.
>
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec
>
>  
>


-- 
Brian Weis
Advanced Security Development, ITD, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec