[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: [Ipsec] IPv6 Configuration in IKEv2
From:       Mohan Parthasarathy <mohanp () sbcglobal ! net>
Date:       2006-06-30 16:49:33
Message-ID: 20060630164933.4833.qmail () web80615 ! mail ! yahoo ! com
[Download RAW message or body]

 
> >Actually my confusion on this whole discussion
> might be, it was not 
> >clear for me how the negotiation of configuration
> payloads / traffic 
> >selectors affects its SPD or routing to the
> "interface".
> >It seems, it is clearly defined that the
> negotiation of traffic 
> >selectors affects its SPD, on the other hand actual
> IPsec 
> >implementations may need to take care of any other
> details such as 
> >the difference between "SPD" and "interface" for
> the 
> >interoperability.
> >
> >Best Regards,
> >Kimihiro Ohki
> 
> the SPD is not modified by IKE negotiation of
> traffic selectors.  The 
> SPD controls the traffic selector negotiation
> process.  The SAD entry 
> and SPD cache entry created for an SA are affected
> by the IKE 
> negotiation.
> 
In the road warrior case, the IP address is assigned
by the security gateway and this would result in
SPD modification ("inner-address --> 0.0.0.0 PROTECT)
as this address is not known a priori. This
is a modification, right ?

The value in INTERNAL_IP*SUBNET tells the host
(initiator) that the traffic to these addresses
should be protected. As per 4301, SPD is the
only place that i can find suitable for adding this.
But then, this would result in source address
selection problems. Hence, as suggested in
Pasi's earlier mail, it normally affects the
routing table entry. These routes would point
to an interface where the address returned in
CFG-REPLY is assigned. With this, you have just
one SPD entry : "inner-address -> 0.0.0.0 PROTECT".

-mohan

> Steve
> 
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
> 


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic