[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proposal in IKE and IP packet format



We can use six pattern of security protocol and mode.  That is ESP tunnel,
ESP transport, AH tunnel, AH transport, IPCOMP tunnel, IPCOMP transport.
IPsec stack (probably in the operating system kernel) and IKE (usually
implemented as a daemon) have different standpoint:
- As ESP/AH/IPCOMP are separate protocol, IPsec stack can use any combination
  of them.  For inbound, it is much easier to handle them as totally different
  protocol, as we dispatch based on protocol type.  For outbound it is also
  the case.  KAME stack can configure any combination, for example,
  "IP AH AH AH AH payload".
- RFC2409 requires mode of operation (tunnel/transport) to be the same across
  all the transforms.  If we see "tunnel mode" in transports (note: plural!),
  we need to encapsulate only once - even though we see "tunnel mode" attribute
  multiple times, we encapsulate only once.
So, though IPsec stack can be very flexible (and it is easier to implement!)
IKE limits possible combinations.  No document (yet) talked about the
relationship between the combination of IP packet format, and IKE
proposals/transforms.

Here is the table of IKE proposal and the IP packet format.
Does it make sense that we follow the table if we use IKE ?
The table will eliminate the ambiguity we found in bakeoffs - some of us
interpreted IKE "tunnel/transport mode" attribute differently.

In adition, is it legal for a responder to modify the order of proposal?
For example, is the following story legal?  Should the initiator accept
such a proposal?
- the intiator proposes ESP transport as 1st proposal and AH transport as
  2nd proposal,
- then the responder reply AH as 1st proposal and ESP as 2nd proposal.

//KAME Project

====
The table of proposal and IP packet format:

*1: MUST be rejected because all of modes in each proposals have to be equal.
*2: MUST be rejected because it makes no sense.

A. single proposal

1st proposal        packet format
----------------    ----------------------
ESP tunnel       => IP2 ESP IP1 payload
ESP transport    => IP1 ESP payload
AH tunnel        => IP2 AH IP1 payload
AH transport     => IP1 AH payload
IPCOMP tunnel    => IP2 IPCOMP IP1 payload
IPCOMP transport => IP1 IPCOMP payload

B. two proposals and same proposal number.

1st proposal       2nd proposal        packet format
----------------   ----------------   -----------------------
ESP tunnel       & ESP tunnel       => *2
ESP tunnel       & ESP transport    => *2
ESP tunnel       & AH tunnel        => IP2 AH ESP IP1 payload
ESP tunnel       & AH transport     => *1
ESP tunnel       & IPCOMP tunnel    => IP2 ESP IPCOMP IP1 payload
ESP tunnel       & IPCOMP transport => *1
ESP transport    & ESP tunnel       => *2
ESP transport    & ESP transport    => *2
ESP transport    & AH tunnel        => *1
ESP transport    & AH transport     => IP1 AH ESP payload
ESP transport    & IPCOMP tunnel    => *1
ESP transport    & IPCOMP transport => IP1 ESP IPCOMP payload
AH tunnel        & ESP tunnel       => IP2 AH ESP IP1 payload
AH tunnel        & ESP transport    => *1
AH tunnel        & AH tunnel        => *2
AH tunnel        & AH transport     => *2
AH tunnel        & IPCOMP tunnel    => IP2 AH IPCOMP IP1 payload
AH tunnel        & IPCOMP transport => *1
AH transport     & ESP tunnel       => *1
AH transport     & ESP transport    => IP1 AH ESP payload
AH transport     & AH tunnel        => *2
AH transport     & AH transport     => *2
AH transport     & IPCOMP tunnel    => *1
AH transport     & IPCOMP transport => IP1 AH IPCOMP payload
IPCOMP tunnel    & ESP tunnel       => IP2 ESP IPCOMP IP1 payload
IPCOMP tunnel    & ESP transport    => *1
IPCOMP tunnel    & AH tunnel        => IP2 AH IPCOMP IP1 payload
IPCOMP tunnel    & AH transport     => *1
IPCOMP tunnel    & IPCOMP tunnel    => *2
IPCOMP tunnel    & IPCOMP transport => *2
IPCOMP transport & ESP tunnel       => *1
IPCOMP transport & ESP transport    => IP1 ESP IPCOMP payload
IPCOMP transport & AH tunnel        => *1
IPCOMP transport & AH transport     => IP1 AH IPCOMP payload
IPCOMP transport & IPCOMP tunnel    => *2
IPCOMP transport & IPCOMP transport => *2

C. three proposals and same proposal number.
(most of the bogus combintions are omitted)

1st proposal       2nd proposal       3rd proposal        packet format
----------------   ----------------   ----------------    ---------------------
ESP tunnel       & AH tunnel        & IPCOMP tunnel    => IP2 AH ESP IPCOMP IP1
ESP tunnel       & AH tunnel        & IPCOMP transport => *1
ESP tunnel       & AH transport     & IPCOMP tunnel    => *1
ESP tunnel       & AH transport     & IPCOMP transport => *1
ESP transport    & AH tunnel        & IPCOMP tunnel    => *1
ESP transport    & AH tunnel        & IPCOMP transport => *1
ESP transport    & AH transport     & IPCOMP tunnel    => *1
ESP transport    & AH transport     & IPCOMP transport => IP1 AH ESP IPCOMP
AH tunnel        & ESP tunnel       & IPCOMP tunel     => IP2 AH ESP IPCOMP IP1
AH tunnel        & ESP tunnel       & IPCOMP transport => *1
AH tunnel        & ESP transport    & IPCOMP tunel     => *1
AH tunnel        & ESP transport    & IPCOMP transport => *1
AH transport     & ESP tunnel       & IPCOMP tunel     => *1
AH transport     & ESP tunnel       & IPCOMP transport => *1
AH transport     & ESP transport    & IPCOMP tunel     => *1
AH transport     & ESP transport    & IPCOMP transport => IP1 AH ESP IPCOMP
IPCOMP tunnel    & ESP tunnel       & IPCOMP tunel     => IP2 AH ESP IPCOMP IP1
IPCOMP tunnel    & ESP tunnel       & IPCOMP transport => *1
IPCOMP tunnel    & ESP transport    & IPCOMP tunel     => *1
IPCOMP tunnel    & ESP transport    & IPCOMP transport => *1
IPCOMP transport & ESP tunnel       & IPCOMP tunel     => *1
IPCOMP transport & ESP tunnel       & IPCOMP transport => *1
IPCOMP transport & ESP transport    & IPCOMP tunel     => *1
IPCOMP transport & ESP transport    & IPCOMP transport => IP1 AH ESP IPCOMP