RE: IPsec issue #46 -- No need for nested SAs or SA bundles
"Mohan Parthasarathy" <mohanp@tahoenetworks.com> Thu, 04 September 2003 22:59 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA29737 for <ipsec-archive@lists.ietf.org>; Thu, 4 Sep 2003 18:59:40 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA01974 Thu, 4 Sep 2003 15:36:41 -0400 (EDT)
x-mimeole: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: IPsec issue #46 -- No need for nested SAs or SA bundles
Date: Thu, 04 Sep 2003 12:44:41 -0700
Message-ID: <416B5AF360DED54088DAD3CA8BFBEA6E016C156B@TNEXVS02.tahoenetworks.com>
Thread-Topic: IPsec issue #46 -- No need for nested SAs or SA bundles
Thread-Index: AcNxtqhd9Uc+FtNeSZSoZ4LyERTvBwAp1EKAAC+455A=
From: Mohan Parthasarathy <mohanp@tahoenetworks.com>
To: ipsec@lists.tislabs.com
X-OriginalArrivalTime: 04 Sep 2003 19:44:41.0382 (UTC) FILETIME=[FB97E460:01C3731C]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by lists.tislabs.com id PAA01964
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Content-Transfer-Encoding: 8bit
> > >>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes: > Markku> Just a note: my implementation can do nested > SA's, assuming you > Markku> mean situation where you have an internal node > "Another" that > Markku> wants IPSEC, but which happens to be behind a > security gateway SG: > > Markku> SA1 > Markku> MyNode <---------------> SG > Markku> <----------------------------------------> Another > Markku> SA2 > > Let me extend this a bit, to make sure we are talking about > the same thing. > > SPD: > > SRCIP DESTIP gateway > SA1 MyNode/32 Another/32 SG > SA2 MyNode/32 Another/32 Another > > > FreeS/WAN current can *NOT* handle this. I consider this a > serious bug, which I unfortunately, do not have a mandate to > fix at this time. > > I believe that this facility needs to remain in the > specification. In particular, when "MyNode" decapsulates, it > has to be very careful to avoid loosing any priviledges that > SA1 or SA2 might have conveyed, while still protecting things > properly. Yes, please do not remove it from the specification. PANA working group is trying to use SA bundles. SG above is the local enforcement point ( e.g.NAS, Access Router) and "Another" could be the SG of your corporate network for VPN access. draft-mohanp-pana-ipsec-00.txt explains this in IP-IP transport mode where the SA bundles are not required. But with recent discussions in PANA WG, I am going to go back to tunnel mode SA. At least, this is another scenario where this would be useful. thanks mohan > > ] Out and about in Ottawa. hmmm... beer. > | firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON > |net architect[ > ] mcr@sandelman.ottawa.on.ca > http://www.sandelman.ottawa.on.ca/ |device > driver[ ] > panic("Just another Debian/notebook using, kernel hacking, > security guy"); [ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (GNU/Linux) > Comment: Finger me for keys - custom hacks make this fully PGP2 compat > > iQCVAwUBP1Ubr4qHRg3pndX9AQGLHQQAoxssKgYDj88AimxNbSU9jZGULpv8OjLP > r8Iyx0klU9SmG2YiEC3aMXZEl5Enu3gXTETPPUy9tPC5n7jbsEqSR5L2BEQFyWdq > PT1v8MjIDlVlZ5NHnQiKZRzcj7hgvJEBNKfdznkeavVov1yM259Vgjz8af416FKy > AtiZP3LXaso= > =hmzS > -----END PGP SIGNATURE----- >
- Re: IPsec issue #46 -- No need for nested SAs or … Angelos D. Keromytis
- Re: IPsec issue #46 -- No need for nested SAs or … Michael Richardson
- Re: IPsec issue #46 -- No need for nested SAs or … Stephen Kent
- Re: IPsec issue #46 -- No need for nested SAs or … Angelos D. Keromytis
- Re: IPsec issue #46 -- No need for nested SAs or … Stephen Kent
- Re: IPsec issue #46 -- No need for nested SAs or … Angelos D. Keromytis
- Re: IPsec issue #46 -- No need for nested SAs or … Stephen Kent
- Re: IPsec issue #46 -- No need for nested SAs or … Markku Savela
- Fwd: IPsec issue #46 -- No need for nested SAs or… Karen Seo
- Re: IPsec issue #46 -- No need for nested SAs or … Stephen Kent
- Re: IPsec issue #46 -- No need for nested SAs or … Michael Richardson
- Re: Fwd: IPsec issue #46 -- No need for nested SA… Michael Richardson
- Re: IPsec issue #46 -- No need for nested SAs or … Markku Savela
- RE: IPsec issue #46 -- No need for nested SAs or … Mohan Parthasarathy
- RE: IPsec issue #46 -- No need for nested SAs or … Mohan Parthasarathy