[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Remote access]: Find the right SA on outbound processing



Hi folks,
I found out a problem (maybe) in locating the right outbound SA in the SAD in the case of remote access and appreciate any feedback from the group.



Let's suppose we have a SGW (Security Gateway) with the following SPD (C_NET is the corporate net i.e., 192.168.0.0/16)

s_addr=any d_addr=C_NET proto=any dir=inbound  IPSEC ESP/Tunnel
s_addr=C_NET d_addr=any proto=any dir=outbound IPSEC ESP/Tunnel

So the SGW requires that all traffic must be carried by ESP/Tunnel SA.
Now a remote host (say it is addressable at HOSTA) wants to access to the corporate network.
HOSTA initiates an IKEv2 handshake with the SGW.
Because HOSTA requires configuration (via the CP -Configuration Payload-), SGW will send CP with inside the IP address the remote host must use as the inner header's IP source address (for example 192.168.10.1).


After negotiating the SAs (one per direction) HOSTA's and SGW's SAD will be:
[d_addr/ SPI /proto] (SA's specific material)
[HOSTA /SPI_A/ ESP ] (SA's specific material)
[SGW /SPI_B/ ESP ] (SA's specific material)


At this point another remote host (say it is addressable at HOSTB) wants to gain access to the corporate network.
HOSTB initiates an IKEv2 handshake with the SGW, and because it requires configuration will send CP to the SGW requiring a valid inner header's Source IP address. SGW will respond with this information (for example 192.168.10.2).


After this second negotiation SGW's SAD will be:
[d_addr/ SPI /proto] (SA's specific material)
1 - [HOSTA /SPI_A/ ESP ] (SA's specific material)
2 - [SGW   /SPI_B/ ESP ] (SA's specific material)
3 - [HOSTB /SPI_C/ ESP ] (SA's specific material)
4 - [SGW   /SPI_D/ ESP ] (SA's specific material)

Now HOSTC, in the corporate network, wants to send a packet to 192.168.10.2. This packet will be sent to the SGW.
SGW will match packet's selectors against outbound SPD and these will match the only rule in the SPD (outbound) which will point to two different SAs in the SAD (1 & 3). However SGW does not have any information (in the SAD) to select the right one.



Is this right? Or there is something I'm missing?



A trick to avoid the problem is to make one SPD entry per peer: (SGW SPD)

s_addr=192.168.10.1 d_addr=any proto=any dir=inbound  IPSEC ESP/Tunnel
s_addr=192.168.10.2 d_addr=any proto=any dir=inbound  IPSEC ESP/Tunnel
s_addr=192.168.10.3 d_addr=any proto=any dir=inbound  IPSEC ESP/Tunnel
...
...
...

s_addr=any d_addr=192.168.10.1 proto=any dir=outbound IPSEC ESP/Tunnel
s_addr=any d_addr=192.168.10.2 proto=any dir=outbound IPSEC ESP/Tunnel
s_addr=any d_addr=192.168.10.3 proto=any dir=outbound IPSEC ESP/Tunnel
...
...
...

However this solution make the SPD become bigger and bigger.
Another kind of solution, will be to put the assigned IP address (inner header's IP) in the SAD.


[outer d_addr/inner d_addr/SPI/proto] (SA's specific material)
1 - [HOSTA /192.168.10.1/SPI_A/ ESP ] (SA's specific material)
2 - [SGW   /    SGW     /SPI_B/ ESP ] (SA's specific material)
3 - [HOSTB /192.168.10.2/SPI_C/ ESP ] (SA's specific material)
4 - [SGW   /    SGW     /SPI_D/ ESP ] (SA's specific material)

Any other ideas?

--
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@xxxxxxxxxx
------------------------------------------------