IPsec SA establishment through ISAKMP
Titus Peedikayil <titus@routerware.com> Tue, 03 March 1998 05:05 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id AAA29038 for ipsec-outgoing; Tue, 3 Mar 1998 00:05:30 -0500 (EST)
Message-ID: <71F9F43682B7D011BDA20020C5E2CCB31456C1@FTP>
From: Titus Peedikayil <titus@routerware.com>
To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: IPsec SA establishment through ISAKMP
Date: Mon, 02 Mar 1998 21:18:29 -0800
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I would like some clarification on the following thoughts. I have assumed that each host has seperate OUTBOUND and INBOUND SADs. They also have seperate OUTBOUND and INBOUND SPDs. i) When a host A sends an ISAKMP proposal payload to host B, would not the proposals be based on the INBOUND IPsec policy (SPD) on host A (since IPsec SAs are receiver-oriented)? And since the SPIs for the proposals are determined by the protocols supported on host A, the tuple <destination address, ipsec protocol, SPI> will be unique on host A. ii) If (i) is correct, then B chooses a proposal based on the OUTBOUND IPsec policy (SPD) and returns it in its reply (proposal payload). This proposal represents the IPsec processing (or transforms) that B applies when it sends data packets to A. So B would create an SA with the selected proposal in the OUTBOUND SAD. iii) If (i) is correct, then steps (i) and (ii) only achieves secure communication from B to A. If B too were to initiate a proposal payload, then communication could be secured from A to B also just like in (i) and (ii). But if the ISAKMP on B does not initiate a proposal payload, is there some way for A to force it? Thanks Titus.
- IPsec SA establishment through ISAKMP Titus Peedikayil
- Re: IPsec SA establishment through ISAKMP Kai Martius