[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis Issue # 82 -- Creation of SAs -- clarifications

To: ipsec mailingList <ipsec@xxxxxxxxxxxxxxxxx>
Subject: 2401bis Issue # 82 -- Creation of SAs -- clarifications
From: Karen Seo <kseo@xxxxxxx>
Date: Tue, 30 Sep 2003 01:49:07 -0400
Cc: byfraser@xxxxxxxxx, tytso@xxxxxxx, "Angelos D. Keromytis" <angelos@xxxxxxxxxxxxxxx>, kivinen@xxxxxx, kseo@xxxxxxx
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Folks,

Here's a description and proposed approach for:

IPsec Issue #: 82

Title: Creation of SAs -- clarifications

Description:
============
2401's text on the SPD currently says:

"For each selector, the policy entry specifies how to derive the corresponding values for a new Security Association Database (SAD, see Section 4.4.3) entry from those in the SPD and the packet (Note that at present, ranges are only supported for IP addresses; but wildcarding can be expressed for all selectors):

  a. use the value in the packet itself -- This will limit
     use of the SA to those packets which have this
     packet's value for the selector even if the selector
     for the policy entry has a range of allowed values or
     a wildcard for this selector.
  b. use the value associated with the policy entry -- If
     this were to be just a single value, then there would
     be no difference between (b) and (a).  However, if the
     allowed values for the selector are a range (for IP
     addresses) or wildcard, then in the case of a range,
     (b) would enable use of the SA by any packet with a
     selector value within the range not just by packets
     with the selector value of the packet that triggered
     the creation of the SA.  In the case of a wildcard,
     (b) would allow use of the SA by packets with any value
     for this selector."

[Note that in IPsec issue 47, it was proposed that all selectors can be a list of ranges, per IKEv2 spec.]

A number of questions have arisen about the 2 options above, in particular for Option a -- use the value in the packet. We need to clarify how the SPD entries can be used to create SAs for various combinations of selectors, e.g., to ensure creation of separately key'd SAs for each pair of hosts.

Proposed approach: ================== Clarify the text about the SPD to say that Option (a) for instantiating selectors when creating an SA (use the value in the packet itself)...

"can not only be used to create per-host, per-port, or per-protocol keyed SAs, but also to create new SAs based upon unique values of any set of selectors."

Note: For implementors using decorrelation, there will be an appendix with implementor's notes describing how to avoid creating any unnecessary SAs for a set of decorrelated SPD entries created from the same original correlated SPD entry when one or more selector values are populated from subscriber traffic.

Thank you,
Karen

Follow-Ups:
- Re: 2401bis Issue # 82 -- Creation of SAs -- clarifications
  - From: Ravi Kumar

Prev by Date: 2401bis Issue # 81 -- Handling outbound red fragments
Next by Date: 2401bis Issue # 83 -- DROP'd inbound packet -- missing required IPsec protection
Previous by thread: 2401bis Issue # 81 -- Handling outbound red fragments
Next by thread: Re: 2401bis Issue # 82 -- Creation of SAs -- clarifications
Index(es):
- Date
- Thread