Re: FW: IPSec Monitoring MIB works for IPv4 only?
"Scott G. Kelly" <skelly@redcreek.com> Tue, 24 November 1998 00:28 UTC
Received: by portal.ex.tis.com (8.9.1/8.9.1) id TAA11487 for ipsec-outgoing; Mon, 23 Nov 1998 19:28:13 -0500 (EST)
Message-ID: <365A026E.719F58AE@redcreek.com>
Date: Mon, 23 Nov 1998 16:48:46 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.5 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Tim Jenkins <tjenkins@TimeStep.com>
CC: ipsec@tis.com
Subject: Re: FW: IPSec Monitoring MIB works for IPv4 only?
References: <319A1C5F94C8D11192DE00805FBBADDF596056@exchange>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I wrote: > > What I have been trying to express is that the mib should support > any > > legal SA bundle as defined in the architecture document. My comments > > > regarding rigid ordering, e.g. [AH][ESP][IPPCP], were based mostly > on > > the fact that the architecture doc does not forbid other > > orderings, but > > rather does not mandate support for more than a few likely ones. <trimmed...> Tim wrote: > From 'case 1' of section 4.5 of the architecture document: > > <start quote> > Note that there is no requirement to support general nesting, > but in transport mode, both AH and ESP can be applied to the > packet. In this event, the SA establishment procedure MUST > ensure that first ESP, then AH are applied to the packet. > <end quote> > > I read this as saying that for simultaneously negotiated SAs (a > protection suite), the processing of AH before ESP (outbound) IS > illegal. As such, the MIB won't explicitly support it. <trimmed...> I understand what you're saying here, but I think there is an ambiguity. Just prior to the text you quote (also in section 4.5) is the following text: <begin quote> This section describes four examples of combinations of security associations that MUST be supported by compliant IPsec hosts or security gateways. Additional combinations of AH and/or ESP in tunnel and/or transport modes MAY be supported at the discretion of the implementor. Compliant implementations MUST be capable of generating these four combinations and on receipt, of processing them, but SHOULD be able to receive and process any combination. The diagrams and text below describe the basic cases. <end quote> I take this to mean that any combination is possible. I take the text you quote to mean that for case 1, the specific ordering is a defining characteristic of this particular case. > Further, from section 2 of <draft-ietf-ippcp-protocol-06.txt> > > <start quote> > > The compression of outbound IP datagrams MUST be done before any IP > security processing, such as encryption and authentication, and > before any fragmentation of the IP datagram. ... > > <end quote> > > I read this as saying that for simultaneously negotiated SAs (a > protection suite), the processing of ESP or AH before IPCOMP > (outbound) IS illegal. I agree with the sensibility of this approach in most cases, i.e. it doesn't make sense to try to compress ostensibly random data. However, it might make sense to compress authenticated data in some cases. In any event, since the draft in question originated outside of this wg, I'm not sure we should cite it as a constraining authority for ipsec implementations. <trimmed...> >There's nothing in the MIB that prevents the presentation of separately > negotiated SAs with the same selector with different services. > However, they won't show up in what was called the ipsecSaTable as a > single entry; they'll just take two entries in that table. (Table is > now called ipsecProtSuiteTable.) I guess this is the bottom line. This means there is a (new) mechanism for representing arbitrary nesting of SAs, although it may not be optimal. I guess that addresses my concern. Scott
- FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- Re: FW: IPSec Monitoring MIB works for IPv4 only? John Shriver
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Michael Richardson
- Re: FW: IPSec Monitoring MIB works for IPv4 only? John Shriver
- Bundle or not in negotiation Markku Savela
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- RE: Bundle or not in negotiation Tim Jenkins
- RE: Bundle or not in negotiation Richard Draves
- Re: Bundle or not in negotiation Daniel Harkins
- Re: FW: IPSec Monitoring MIB works for IPv4 only? John Shriver
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tero Kivinen
- Re: Bundle or not in negotiation Mohan Parthasarathy
- RE: Bundle or not in negotiation Markku Savela
- Re: Bundle or not in negotiation Markku Savela
- RE: Bundle or not in negotiation Sumit Vakil
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Scott G. Kelly
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- Re: Bundle or not in negotiation Scott G. Kelly
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Daniel Harkins
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Richard Draves
- RE: Bundle or not in negotiation Richard Draves
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Scott G. Kelly
- Re: Bundle or not in negotiation Daniel Harkins
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Paul Koning
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tero Kivinen
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Daniel Harkins
- Re: Bundle or not in negotiation Mohan Parthasarathy
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Paul Koning
- RE: FW: IPSec Monitoring MIB works for IPv4 only? M. C. Nelson
- Re: Bundle or not in negotiation Markku Savela
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Scott G. Kelly
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Richard Draves
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tero Kivinen
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Michael C. Richardson
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- RE: FW: IPSec Monitoring MIB works for IPv4 only? Tim Jenkins
- rekeying issues, was Re: FW: IPSec Monitoring MIB… Daniel Harkins
- Re: rekeying issues, was Re: FW: IPSec Monitoring… Daniel Harkins
- RE: rekeying issues, was Re: FW: IPSec Monitoring… Tim Jenkins
- Re: rekeying issues, was Re: FW: IPSec Monitoring… Paul Koning
- Re: FW: IPSec Monitoring MIB works for IPv4 only? Scott G. Kelly
- Re: Bundle or not in negotiation Hilarie K. Orman
- Re: Bundle or not in negotiation Angelos D. Keromytis
- Re: Bundle or not in negotiation Scott G. Kelly
- RE: Bundle or not in negotiation Jeff Carr