|
Hi Steve,
I have some follow-up questions.
In the following questions I have assumed that 3
IPsec Protocols shall be applied
on a given traffic stream.
1) When IKEv2 is used with RFC2401 compliant
implementation, can a single IKEv2
CREATE_CHILD_SA negotiate IPcomp, ESP and AH SAs
for the given traffic
selector?
2) When IKEv2 is used with RFC2401-bis compliant
implementation, there has to
be theee IKEv2 CREATE_CHILD_SA
Exchanges.
(1) Plain Traffic selectors for IPcomp
SA
(2) Same Source IP, Destination IP and IPComp for
Protocol - Traffic Selectors for ESP SA
(3) Tunnel Outer Header Source IP, Tunnel Outer
Header Destination IP and Protocol=ESP
for AH SA.
3) An implementation needs to know through
some other means,
whether the peer supports RFC2401 or 2401-bis.
Thanks,
Subha
----- Original Message -----
Sent: Friday, April 01, 2005 2:32
PM
Subject: Re: [Ipsec] Number of SPD
Policies
At 12:21 PM -0800 4/1/05, Subha wrote:
Hi
List-members,
If I need
to apply both ESP and AH SAs between the
two
security gateways
for a given traffic stream, do I need to
create two policies
or one policy ?
Can someone
indicate this with repect to the following combinations
1) IKEv1 +
2401
YES, the status quo
2) IKEv1 +
2401bis
not a good match, because 2401bis mandates support for features available
in IKEv2 that are not in IKE v1.
3) IKEv2 +
2401
this combination should work.
4) IKEv2 +
2401bis
YES, the intended match up
From IKEv1 or IKEv2
perspective, my understanding is that there are
no restrictictions
posted.
2401bis seems to
indicate that if there is nested tunneling i.e.
if
the security tunnel
is going to terminate in 2 different remote gateways,
then we need
to have two SPD policies. (Reference Appendix -E in
2401-bis)
What 2401bis says is that to accommodate a nested SA, in general, one
will need multiple SPD entries and coordinated entries in the forwarding
tables on both the protected and unprotected sides of the IPsec boundary. It
does not say this is an issue that arises when the endpoints for the tunnel
are distinct. The example in Appendix E is just an example, not a
comprehensive discussion of how one configures the SPD and forwarding tables
to accommodate nesting in general.
However if the
terminating tunnel endpoint is the same remote gateway
and
both ESP
and AH needs to be applied to a particular traffic stream,
then
a single SPD Policy
should suffice. I did not see any statement in
2401-bis
restricting
this.
In the example you cited above, applying AH and ESP to traffic, note that
the SPD definition in 2401bis specifies application of only one security
protocol per SA. So I believe that more than one SPD entry is required to
achieve even this simple nested SA example.
Steve
| 
