Re: Rekeing of a CHILD_SA with AH+ESP in IKEv2
Markku Savela <msa <at> burp.tkv.asdf.org>
2006-06-02 11:53:43 GMT
> From: Tero Kivinen <kivinen <at> iki.fi>
> Wrong. AH and ESP are separate SAs each having different traffic
> selectors. The ESP have traffic selectors of the real traffic to be
> protected, and the AH has traffic selectors matching the ESP traffic.
> See the section 5.1 of the RFC4301, and notice that the SPD cache
> returns you exactly one SA, which is used to process the pcaket with
> either AH or ESP (but not both), and then the packets goes to the
> Forwarding check, that will resend the packet to beginning again, now
> with new selectors and then the SPD cache will return another SA and
> you do the second process step for the packet.
I'm somewhat troubled by above description. I heartily support the
idea that AH and ESP are negotiated independently. This was my prime
objection for IKEv1 from the start.
But, your selector thing is a bit problematic. In IPv6, AH and ESP are
extension headers. Seems odd that after extension header processing,
the packet would go into "forwarding check" etc. This not the way our
I believe the selectors should always be for "transport level". If you
protect TCP or UDP traffic with AH + ESP, I say the selectors for AH
and ESP should still be the TCP/UDP and ports.
This way the basic IPsec implementations (not including IKE) would be
compatible between RFC-2401 and 4301 implementations.