[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] Re: I-D ACTION:draft-richardson-ipsec-rr-01.txt



Michael Richardson wrote:

>     Tatsuya> In case both public key and gateway field in IPSECKEY RR exist,
>     Tatsuya> how should I interpret it?
> 
>   The public key that is provided is the public key of the gateway.


OK, I mistook that the "public key" is the key of the RR owner, not the
gateway's key.


>   They appear in the same resource record to avoid a second round trip. If it
> does not appear, then a second round trip is necessary. This scenario may be
> useful when the public key has to change very frequently and updating all of
> the "client" records is too difficult.
>   (to put it another way, this is intentionally not 3rd-normal form)


I think the second round trip is necessary only for first time,
because the gateway's IPSECKEY RR retrieved by the second round trip
is cached on the initiating IPsec node, and the cached gateway's
IPSECKEY RR is used if accessing the different host behind the same
gateway.

>     Tatsuya> If the gateway field is the same as the owner name of RR,
>     Tatsuya> it should be considered as a security gateway.
> 
>   Yes, in this case, the host is acting as its own gateway.


Do the following two RRs both have the same meaning?

1)

owner-name: "Host 1"
gateway:    "Host 1"
public-key:  Host-1-key

2)
owner-name: "Host 1"
gateway:    "none"
public-key:  Host-1-key

If (1) is a security gateway which implements tunnel mode only
and (2) is an IPsec host which implements both tunnel and transport
mode, the initiator can propose appropriate SA parameters (tunnel or
transport mode) according to the presence of gateway field of the
IPSECKEY RR.

 >     Tatsuya>   Host 1 -------- Internet ----------- Security --- Host 2
 >     Tatsuya>    | |                                 Gateway1        |
 >     Tatsuya>    | |                                     |           |
 >     Tatsuya>    | -------Security Association 1----------           |
 >     Tatsuya>    |                                                   |
 >     Tatsuya>    ----------------Security Association 2---------------
 >
 >   There is no clear way for host-1 to set this up on its own.
 >   It would occur under this circumstance, assuming that the IPSECKEY 
RR is
 > deployed in the reverse map as specified in OE. (It may get deployed
 > elsewhere with different rules)
<snip!>

I understand well that IPSECKEY RRs can establish netsted SAs.
Thanks.

-- 
Tatsuya BABA      babatt@nttdata.co.jp
R&D Headquarters, NTT DATA CORPORATION

-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.