On (06/19/16 20:06), Rafa Marin Lopez wrote: > > I had a related question Section 8.2, #2 as well: is the first > > data packet in the clear or not? If it is not in the clear, how > > can you determine the flow in the general case? > > [Rafa] Please be aware that, if ESP (AH does not encrypt the packet) > has been applied to the packet before reaching the GW1 the IP header of > that packet is still visible (it is not encrypted). And based on that > information there would be SPD entries so that the IPsec implementation > would act based on that visible information. Thus, adding the controller > does not change that behavior. So I am not sure the issue/problem you > may have in mind.
if the first packet is using AH, then the sender has alredy made some assumption about the auth key. How is the receiver going to know that key (assuming that AH has been added for a reason)? And what is the point of the following (quoted from Section 8.2) if the sender is already making some assumptions about the AH parameters for the first packet? "2. The SDN Controller looks for security policies in its SPD table and decides that the flow MUST be protected, for example, with IPsec ESP in tunnel mode. 3. The SDN controller derives keys for the IPsec tunnel and enforces them, along with other information required, such as IPsec mode (ESP or AH), into both gateways' IPsec Security Association Database (SAD)." To put this in another way, isnt this a chicken-and-egg problem: receiver is supposed to use the first data packet figure out the sadb/spd configuration (which may or may not include both AH and ESP), but the first packet itself has some AH (with no ESP) based on <what negotiation?>? > > If it is in > > the clear, what is the scope of the security consideration? > > [Rafa] Not sure about what do you mean? Are you referring to section > 9 or other aspect? Is the IPsec SA/SPD negotiated in Section 8.1 applicable/different for the first packet compared to the rest of the flow? --Sowmini _______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf