[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #46 -- No need for nested SAs or SA bundles



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Markku" == Markku Savela <msa@xxxxxxxxxxxxxxxxx> writes:
    Markku> Just a note: my implementation can do nested SA's, assuming you
    Markku> mean situation where you have an internal node "Another" that
    Markku> wants IPSEC, but which happens to be behind a security gateway SG:

    Markku>               SA1
    Markku> MyNode  <---------------> SG
    Markku>         <----------------------------------------> Another
    Markku>               SA2

  Let me extend this a bit, to make sure we are talking about the same thing.

SPD:

         SRCIP     DESTIP       gateway
  SA1	 MyNode/32 Another/32   SG
  SA2	 MyNode/32 Another/32   Another


  FreeS/WAN current can *NOT* handle this. I consider this a serious bug,
which I unfortunately, do not have a mandate to fix at this time.

  I believe that this facility needs to remain in the specification. In
particular, when "MyNode" decapsulates, it has to be very careful to avoid
loosing any priviledges that SA1 or SA2 might have conveyed, while still
protecting things properly.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP1Ubr4qHRg3pndX9AQGLHQQAoxssKgYDj88AimxNbSU9jZGULpv8OjLP
r8Iyx0klU9SmG2YiEC3aMXZEl5Enu3gXTETPPUy9tPC5n7jbsEqSR5L2BEQFyWdq
PT1v8MjIDlVlZ5NHnQiKZRzcj7hgvJEBNKfdznkeavVov1yM259Vgjz8af416FKy
AtiZP3LXaso=
=hmzS
-----END PGP SIGNATURE-----