[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] IKEv2 traffic selector negotiation



I think this is another scenario where asymmetric security could be useful. Asymmetry could be needed for different reasons, for example in this case direction. Some time ago there was discussion on this. I do not know what direction we chose to take.

Atul 

 -------------- Original message ----------------------
From: <Pasi.Eronen@xxxxxxxxx>
> Hi,
> 
> IKEv2 always creates CHILD_SAs in pairs, and RFC 4301 assumes
> that SPD-S entries with UDP port selectors are unidirectional
> (unlike RFC 2401, which had separate SPD entries for inbound
> and outbound traffic even when applying IPsec protection).
> Thus, IKEv2 does not directly support negotiating this.
> 
> However, even if you create a bidirectional SA pair (using the first
> TSi/TSr you propose), nothing in the specs prohibits host A from
> dropping all packets arriving from B (e.g. using some firewall/packet
> filter functionality not negotiated within IKE).
> 
> This is not exactly the same as the ability to negotiate
> unidirectional SAs (if there are other SAs that could carry the
> traffic from B to A), but could accomplish what you want.
> 
> Best regards,
> Pasi 
> 
> > -----Original Message-----
> > From: Alejandro Perez Mendez [mailto:alejandro_perez@xxxxxxxxx] 
> > Sent: 16 November, 2006 13:07
> > To: Ipsec
> > Subject: [Ipsec] IKEv2 traffic selector negotiation
> > 
> > Hi all!
> > 
> > I have some troubles trying to match some kinds of IP traffic 
> > using the IKEv2 TS semantic.
> > 
> > I want to create a CHILD_SA to protect the UDP traffic from A:
> > 192.168.0.1/32 port 100 to B: 192.168.0.2/32 port 200, but not in 
> > the other direction.
> > 
> > A ---------------------> B
> > A <----------X---------- B
> > 
> > If we define the TS as follows:
> > 
> >         TSi = (17, 100, 192.0.0.1-192.0.0.1)
> >         TSr = (17, 200, 192.168.0.2-192.168.0.2)
> > 
> > it implicitly allows the traffic from B to A
> > 
> > But, if we define the TS as follows:
> > 
> >         TSi = (17, 100, 192.0.0.1-192.0.0.1)
> >         TSr = (17, 65535-0, 192.168.0.2-192.168.0.2)
> > 
> > then, how do we determine what is the destination port to be 
> > matched with this TS?
> > 
> > Regards!
> > 
> > -- 
> > Alejandro Perez Mendez
> > Pedro J. Fernandez Ruiz
> > 
> > University of Murcia
> 
> _______________________________________________
> Ipsec mailing list
> Ipsec@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ipsec


_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec