Re: [Ipsec] Number of SPD Policies

To: "Subha" <subhaav at intoto.com>
Subject: Re: [Ipsec] Number of SPD Policies
From: Stephen Kent <kent at bbn.com>
Date: Fri, 1 Apr 2005 17:32:11 -0500
Cc: ipsec at ietf.org
In-reply-to: <00e801c536f8$531e4850$4205010a@subha>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <00e801c536f8$531e4850$4205010a@subha>
Sender: ipsec-bounces at ietf.org

Title: Re: [Ipsec] Number of SPD Policies

At 12:21 PM -0800 4/1/05, Subha wrote:

Hi List-members,

If I need to apply both ESP and AH SAs between the two

security gateways for a given traffic stream, do I need to

create two policies or one policy ?

Can someone indicate this with repect to the following combinations

1) IKEv1 + 2401

YES, the status quo

2) IKEv1 + 2401bis

not a good match, because 2401bis mandates support for features available in IKEv2 that are not in IKE v1.

3) IKEv2 + 2401

this combination should work.

4) IKEv2 + 2401bis

YES, the intended match up

From IKEv1 or IKEv2 perspective, my understanding is that there are

no restrictictions posted.

2401bis seems to indicate that if there is nested tunneling i.e. if

the security tunnel is going to terminate in 2 different remote gateways,

then we need to have two SPD policies. (Reference Appendix -E in 2401-bis)

What 2401bis says is that to accommodate a nested SA, in general, one will need multiple SPD entries and coordinated entries in the forwarding tables on both the protected and unprotected sides of the IPsec boundary. It does not say this is an issue that arises when the endpoints for the tunnel are distinct. The example in Appendix E is just an example, not a comprehensive discussion of how one configures the SPD and forwarding tables to accommodate nesting in general.

However if the terminating tunnel endpoint is the same remote gateway and

both ESP and AH needs to be applied to a particular traffic stream, then

a single SPD Policy should suffice. I did not see any statement in 2401-bis

restricting this.

In the example you cited above, applying AH and ESP to traffic, note that the SPD definition in 2401bis specifies application of only one security protocol per SA. So I believe that more than one SPD entry is required to achieve even this simple nested SA example.

Steve

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Number of SPD Policies
  - From: Subha

References:
- [Ipsec] Number of SPD Policies
  - From: Subha

Prev by Date: [Ipsec] I-D ACTION:draft-ietf-ipsec-rfc2401bis-06.txt
Next by Date: Re: [Ipsec] Number of SPD Policies
Previous by thread: [Ipsec] Number of SPD Policies
Next by thread: Re: [Ipsec] Number of SPD Policies
Index(es):
- Date
- Thread

Re: [Ipsec] Number of SPD Policies

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.