[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues

At 12:29 +0300 10/15/03, Tero Kivinen wrote:
Stephen Kent writes:
 I agree that this is not an interoperability issue, but 2401
 established a per-interface SPD requirement and I think we now have
 heard from various folks that this is unduly restrictive.

The processing model in RFC2401 is just one example way how to do it, and as RFC2401 says, you can implement IPsec processing in a way you like, as long as it looks from the outside that it is similar than what is described in the RFC2401. If we cannot see the difference of those two ways, I do not think we need to change it. Implementators who want to implement it that way can already do it, I do not think RFC2401 restricts anybody in that way.


---------------------------------------------------------------------- 4.4 Security Association Databases

   Many of the details associated with processing IP traffic in an IPsec
   implementation are largely a local matter, not subject to
   standardization.  However, some external aspects of the processing
   must be standardized, to ensure interoperability and to provide a
   minimum management capability that is essential for productive use of
   IPsec.  This section describes a general model for processing IP
   traffic relative to security associations, in support of these
   interoperability and functionality goals.  The model described below
   is nominal; compliant implementations need not match details of this
   model as presented, but the external behavior of such implementations
   must be mappable to the externally observable characteristics of this

 So as part of the revised processing model we need to remove the
 old, 2401 restriction and explain what the new model does and why.

Does the new processing model require interface selectors or not? Does it help describing the processing model if we have interface selectors instead of per interface SPD?

when I published my first draft of the new model, it had a way to tag a packet with a VID, for forwarding purposes, and because we still had a per interface SPD, the VID selected the SPD too. The VID is not a selector, per se. However, as I have listened to comments from various folks I am less convinced that we should have per-interface SPDs as a basic part of the model. Instead it seems more important to have a function to select an appropriate SPD, if more than one is needed, and to leave the forwarding decision as a separate matter.

What is the rationale behind this change?

the rationale is that if we do not need to impose the constraint of a per-interface SPD, then it should go away, and a more flexible way of specifying the SPD should be accommodated, explicitly.

 >Issues 44 ("forwarding table lookup to select virtual interface ID") and
 >        45 ("use of cache with de-correlated SPD")
 >are still open, waiting for 2401bis draft.
 this will also be covered i the revised model.

I would really like to have that revised model as soon as possible...

me too :-)

>Rejected Issue 69 ("Multiple protocols per SPD entry")
>Rationale: This is covered by
> issue 47 ("all selectors can be a list of ranges, per IKEv2 spec").

 Tero has pointed out in some private e-mail that this
 characterization in quotes is not quite right, i.e., IKEv2 does not
 work this way!

That was what we were refereing to, i.e while we fix the issue 47, it will make clear that we do not need protocol ranges in the SPD, but we do need each SPD entry to have list of selector items (source and destination ip-address ranges, protocol id, source and destination port ranges).

agreed, and thanks for the clarification!

 So, we are revising the characterization accordingly.
 The bottom line is that one can accommodate multiple protocols in a
 single SPD entry, because the entry really consists of a list of
> selector sets, each set contains S/D IP address range, ONE protocol
 (or ANY), and S/D port range.  The "list of ranges" effect is
 achieved in that fashion.

Yep, and as this will be taken care of inside the Issue 47, then we can reject the issue 69 proposing about the same thing, but differently.