[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on SA Bundle

To: kent@xxxxxxx
Subject: Re: Question on SA Bundle
From: Markku Savela <msa@xxxxxxxxxxxxxxxxx>
Date: Thu, 10 Apr 2003 00:41:44 +0300
Cc: lokeshnb@xxxxxxxxxxxxx, ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <> (message from Stephen Kent on Wed, 9 Apr 2003 15:43:30 -0400)
References: <> <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

> From: Stephen Kent <kent@xxxxxxx>

> If folks think this is not the right path for 2401bis, let me know.

In my understanding "bundle" is loose concept, e.g. in a policy I
could specify

  selector1 -> apply SA1(AH), apply SA2(ESP), apply SA2(ESP)
  selector2 -> apply SA2(ESP)

Bundle is just a set of IPSEC transformations (and SA's) that are
specified to be applied to a packet that maches a particular
selector. The same component SA can be used in different "bundles".

That's about all that "bundle" means to me. Unfortunately, IKEv1
thinks/requires more strict "bundle" concept. It cannot negotiate
individual SA's belonging to same "bundle" separately, or share SA's
between bundles.

Key management should negotiate SA's individually.

Speaking of bundles, I just currently trying examine how to get IPSEC
to work with MIPv6.

Assume you have mobile node (MN) and correspondent node (CN), home
agent (HA). Assume CN is some service that requires IPSEC to be
used. Thus I have a policy

  remote=CN -> use CN-SA

works just fine, as long as MN is at home, with packets

  IP: dst=CN
      src=MN-home
      IPSEC(CN-SA)
      Payload

Now, when MN moves away from home, one possibility is tunneling the
packets via home agent. However, MN - HA path must also be protected
by IPSEC. Thus the required packet leaving from MN must look

  IP: dst=HA
      src=MN-care
      IPSEC(HA-SA)
  IP: dst=CN
      src=MN-home
      IPSEC(CN-SA)
      Payload

It just happens that I can generate above packet using existing IPSEC
implementation by writing a policy (because it allows pretty random
combination of IPSEC transforms)

  away-from-home and remote=CN -> use CN-SA, use HA-SA (tunnel=HA)
  at-home and remote=CN -> use CN-SA

However, there is no hope for IKEv1 or IKEv2 to handle this. Manual
keys work. (system will ask the two SA's with two separate ACQUIRE
requests using PFKEYv2).

I've been fairly happy with 2401 as is. I hope the flexibility that it
allowed is not reduced too much to make things like in above
non-standard.

References:
- Question on SA Bundle
  - From: Lokesh
- Re: Question on SA Bundle
  - From: Stephen Kent

Prev by Date: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Next by Date: Re: Question on SA Bundle
Previous by thread: Re: Question on SA Bundle
Next by thread: Re: Question on SA Bundle
Index(es):
- Date
- Thread