Re: [Ipsec] Number of SPD Policies

To: "Subha" <subhaav at intoto.com>
Subject: Re: [Ipsec] Number of SPD Policies
From: Stephen Kent <kent at bbn.com>
Date: Wed, 6 Apr 2005 04:44:52 -0400
Cc: ipsec at ietf.org
In-reply-to: <015701c5371b$f3885510$4205010a@subha>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <00e801c536f8$531e4850$4205010a@subha> <p0621020cbe73752e25ae@[128.89.89.106]> <015701c5371b$f3885510$4205010a@subha>
Sender: ipsec-bounces at ietf.org

Title: Re: [Ipsec] Number of SPD Policies

At 4:35 PM -0800 4/1/05, Subha wrote:

Hi Steve,

I have some follow-up questions.

In the following questions I have assumed that 3 IPsec Protocols shall be applied

on a given traffic stream.

1) When IKEv2 is used with RFC2401 compliant implementation, can a single IKEv2

CREATE_CHILD_SA negotiate IPcomp, ESP and AH SAs for the given traffic

selector?

yes, but as Tero noted, it would be a mistake, in general, to use IKEv2 with 2401.

2) When IKEv2 is used with RFC2401-bis compliant implementation, there has to

be theee IKEv2 CREATE_CHILD_SA Exchanges.

(1) Plain Traffic selectors for IPcomp SA

(2) Same Source IP, Destination IP and IPComp for Protocol - Traffic Selectors for ESP SA

(3) Tunnel Outer Header Source IP, Tunnel Outer Header Destination IP and Protocol=ESP

for AH SA.

yes, one needs to negotiate all three, if you did all three. Again, there seems to be very little motivation for using BOTH AH and ESP, vs. just using ESP with an appropriate integrity algorithm.

3) An implementation needs to know through some other means,

whether the peer supports RFC2401 or 2401-bis.

I would generally expect an implementation that supports IKEv2 to implement 2401-bis, given certain defaults adopted by IKEv2, e.g., ESN for AH or ESP.

Steve

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Number of SPD Policies
  - From: Subha
- Re: [Ipsec] Number of SPD Policies
  - From: Stephen Kent
- Re: [Ipsec] Number of SPD Policies
  - From: Subha

Prev by Date: RE: [Ipsec] doubts about IKEv2 implementation
Next by Date: Re: [Ipsec] Blocking traffic using opaque
Previous by thread: Re: [Ipsec] Number of SPD Policies
Next by thread: [Ipsec] I-D ACTION:draft-ietf-ipsec-rfc2401bis-06.txt
Index(es):
- Date
- Thread

Re: [Ipsec] Number of SPD Policies

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.