Re:
rohit <rohit@trinc.com> Fri, 06 November 1998 14:11 UTC
Received: by portal.ex.tis.com (8.9.1/8.9.1) id JAA27717 for ipsec-outgoing; Fri, 6 Nov 1998 09:11:33 -0500 (EST)
Message-Id: <3.0.1.32.19981106191916.0070dce8@172.16.1.10>
X-Sender: rohit@172.16.1.10
X-Mailer: Windows Eudora Light Version 3.0.1 (32)
Date: Fri, 06 Nov 1998 19:19:16 +0500
To: kent@bbn.com
From: rohit <rohit@trinc.com>
Subject: Re:
Cc: ipsec@tis.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I am restating the problem, however the scenerio specified here is that given in "draft-ietf-ipsec-arch-sec-06.txt" draft on PAGE 27 case 4: ====================================================== | | |============================== | || | | || ---|----------------------|--- || | | | | H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* | ^ | Intranet) | | ------------------------------ could be dialup admin. boundary (optional) to PPP/ARA server Let us assume that N1 is the IP network address for the network of H1 and N2 that of the network comprising SG2 and H2. The policy at H1 for outbound is direction = out Selectors : src addr H1 dest addr H2 Security Policy : Security Gateway SG2 Protocol ESP with Auth Mode Tunnel Algorithms 3DES or DES MD5 Protocol AH (upto H2) Mode Transport Algorithms SHA-1 or MD5 OR Security Gateway SG2 Protocol ESP with no authentication Mode Tunnel Algorithms 3DES Protocol AH ESP (upto H2) Mode Transport Algorithms SHA-1 DES (We think that this is the way the SPD entry will be and that there arent individual entries for SG2 and H2! If they are two different entries in the SPD, the inbound processing will accumulate an SA bundle that consists of more than one protocol at H1 and finds that the individual SPD entries cannot be satisfied by this.) For inbound the same applies except that the selectors source and destination addresses get interchanged. The inbound policy at SG2 is : direction = in Selectors : src addr H1 destaddr N2 Security Policy : Protocol ESP with no auth Mode Tunnel Algorithms 3DES (NOTE : dest here can be N2 or specifically H2) For outbound the same applies except that the selectors source and destination addresses get interchanged. The policy at H2 for inbound is Selectors : src addr H1 destaddr H2 Security Policy : Protocol AH Mode Transport Algorithms SHA-1 Protocol AH ESP Mode Transport Algorithms SHA-1 DES For outbound the same applies except that the selectors source and destination addresses get interchanged. The questions we have are as follows : * Is it possible for the negotiations with SG2 and H2 from H1 to happen simultaneously or is it always mandatory that the ISAKMP traffic to H2 be protected by the ESP tunnel from H1 to SG2? * In the example policy above, since the negotiations with SG2 and H2 happen independently, SG2 selects the second choice offered by H1 and H2 selects the first one. Since these together satisfy neither of the security policies mandated by H1, they cannot really form an SA bundle but are perfect choices as far as IKE is concerned. The problem here is that we treat the negotiations as completely independent and the selected protocols and transforms are one of those offered. However, since both of them together have to be applied to satisfy security requirements in H1, they cannot form an SA bundle. - Rohit At , you wrote: >At 05:29 PM 11/5/98 -0500, you wrote: >>Rohit, >> >>I have to admit that I cannot follow the example, to understand what was >>desired vs. what was negotiated and what the problem was. There are too >>many indefinate atencedents in the text. Please restate the problem in the >>following terms: >> >> Relevant outbound SPD entries for SG1. The entries should be >>described in terms of selectors, required protocols, and algorithms. (The >>term "proposal" does not relate to an SPD entry, it's an IKE term, so I >>can't figure out what you're referring to.) >> >> Relevant inbound SPD entries for SG2 and H2, as above. >> >> IKE proposals sent by SG1 to SG2, and the response from SG2. Then, >>with that SA in place, IKE proposals sent by SG1 to H2, and H2's response. >>Then the resulting pair of iterated tunnels, and why this result does not >>match what SG2's SPD called for. >> >>Steve >> >>
- Re: rohit