[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #46 -- No need for nested SAs or SA bundles

> At 0:40 +0300 9/3/03, Markku Savela wrote:
> >Just a note: my implementation can do nested SA's, assuming you mean
> >situation where you have an internal node "Another" that wants IPSEC,
> >but which happens to be behind a security gateway SG:
> >
> >               SA1
> >MyNode  <---------------> SG
> >         <----------------------------------------> Another
> >               SA2
> >
> >MyNode has nested SA2's, but both SG and Another would not see nested
> >SA's.
> If I understand your diagram, the MyNode component is the only one 
> that would see these as nested SAs. Presumably SA1 is a tunnel mode 
> SA to SG and SA2 is a tunnel or transport SA to Another. is that 
> right?

> How did you express the policy that SA2 had to be an SA nested inside 
> of SA1, and thus that SA1 must be created first, etc.?

For example with a policy (assuming 'SG' and 'Another' below are
replaced with real addresses).

# SA templates

sa SA1 =
 { esp encrypt_alg 3  auth_alg 3  src_specific pfs }

sa SA2 =
 { esp encrypt_alg 5  auth_alg 2 src_specific }

# pass through for IKE traffic

inbound local_port 500 = { }
outbound remote_port 500 = { }

remote Another = { SA2() SA1(SG) }

# pass through anything else

inbound = { }
outbound = { }

Yes, there is a tricky issue, because it will cause IKE to try to
negotiate SA2 with Another before SA1 with SG is ready. What needs to
be done, depends on how SG treats the port 500 with targets behind it
(Another). Above policy assumes it passes clear.

If not, then things get a bit tricky, and I need to add before the
generic port 500 pass throughs a line

 remote Another remote_port 500 = { SA1(SG) }

MyNode opening a connection to Another would trigger following

 Acquire SA's matching template SA2 (src=MyNode, dst=Another) -> IKE
 Acquire SA's matching template SA1 (src=MyNode, dst=SG) -> IKE

IKE is assumed to process these independetly. The IKE UDP connections
to Another are blocked for SA2 (due to policy on port 500 to Another)
until the negotiation with SG for SA1 is complete. [I can share SA's
between policy selectors]

When both SA1 and SA2 are ready, communication with Another can