ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Alexander Starostin                  2:5020/1297.153 05 Sep 2004  17:38:26
 To : Eugene Grosbein
 Subject : ipsec
 -------------------------------------------------------------------------------- 
 

 
 EG> Теперь хочу также зашифровать транзитный трафик, первая машина на другом
 EG> своем интерфейсе имеет сеть 1.1.1.65/26, вторая 1.1.1.1/26.
 EG> Добавляю в ipsec.conf по аналогии (на второй машине симметрично):
 EG> # описание второго потока
 EG> spdadd 1.1.1.0/26  1.1.1.64/26 any -P in  ipsec
 EG> esp/transport/1.1.1.162-1.1.1.161/require;
 EG> spdadd 1.1.1.64/26 1.1.1.0/26  any -P out ipsec
 EG> esp/transport/1.1.1.161-1.1.1.162/require;
 
 EG> Теперь запускаю тот же ping между теми же машинами,
 EG> но теперь c адреса 1.1.1.65 на 1.1.1.1. Hа отвечающей машине вижу
 EG> tcpdump'ом входящий зашифрованный пакет и все. Ответа нету.
 EG> Hа отвечающей машине в начале списка правил стоит allow icmp from any to
 EG> me, оно не мачится. Вывод - пакеты не расшифровываются.
 
 В книге "IPSEC" (ISBN 0-13-046189-X), chapter 3, утверждается: "transport mode
 can only be used to protect packets where the communications endpoint is also
 the cryptographic endpoint."
 
 Иными словами, spdadd ... esp/transport/ должен употребляться с маской /32, и,
 наоборот, маска, отличная от /32, должна употребляться только с spdadd ...
 esp/tunnel/.
 
 Скромно подозреваю, всё это из-за вхождения dst ip в вектор, необходимый для
 идентификации правильного SA:
 
 ===
 Security Parameter Index (SPI)
 
 The SPI is a very important element in the SA. An SPI is a 32-bit entity that is
 used to uniquely identify an SA at the receiver. It was mentioned before that
 the security context or SA is a contract between two hosts communicating
 securely and indicates the parameters, such as keys and algorithms. However,
 there has to be some mechanism for the source to identify which SA to use to
 secure the packet and for the destination to identify which SA to use to check
 the security of the received packet. The source identifies the SA by using the
 selectors. However, the destination does not have access to all the fields in
 the selectors as some of the fields in the selectors belong to the transport
 layer.
 
 To solve the problem of identifying the SA on the destination, the SPI that
 uniquely identifies the SA on the destination is sent with every packet. The
 destination uses this value to index into the receiving SADB and fetch the SA.
 The obvious questions are who guarantees the uniqueness of the mapping between
 the SPI and SA and what is the domain of uniqueness on the destination for each 
 protocol-global, per source, or per address on the host. It is up to
 receiver/destination to guarantee this uniqueness. It is a requirement to
 maintain a separate SPI domain for each protocol. The destination can use any
 consistent mechanism to guarantee uniqueness inside each domain. The IPSec
 architecture specifies that the <spi, destination address> in the packet should 
 uniquely identify an SA.
 
 The receiver allocates the SPI that is stored as part of the SA on the sender.
 The sender includes this in every packet under the assumption that the receiver 
 can use this to uniquely identify the SA. If the receiver does not guarantee
 uniqueness, packets will fail security checks as invalid keys and transforms may
 be used.
 
 The sending host uses the selectors to uniquely index into the sending SADB. The
 output of this lookup is an SA that has all the negotiated security parameters, 
 including the SPI. The host that allocates the SPI guarantees uniqueness. The
 SPI is reused once the SA expires but it is guaranteed that at any point the
 mapping between <spi, dst>, and SA is one to one. The src address is used in
 cases where the host is multihomed, that is, a host with more than one IP
 interface. This can be because there is more than one network card on the host
 or because of the fact that multiple IP interfaces are configured on the same
 network card (the host has multiple IP addresses). In this case, it is possible 
 that the index <spi, dst> is not unique and src is used to resolve the
 ambiguity.
 
 The SPI is transmitted as part of AH and ESP headers. The receiving host uses
 the tuple <spi, dst, protocol> (where dst is the destination address in the IP
 header) to uniquely identify the SA. It is possible to use the source address in
 addition to <spi, dst, protocol> to uniquely identify an SA to conserve the SPI 
 space. However, this is not part of the standards and is something specific to
 an implementation.
 ===
 
 Have a nice day!
 
 ---
  * Origin:  (2:5020/1297.153)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

Тема:    Автор:    Дата:    ipsec   Eugene Grosbein   01 Sep 2004 18:06:20   Re: ipsec   Eugene Grosbein   01 Sep 2004 20:12:25   ipsec   Alexander Starostin   05 Sep 2004 17:38:26   ipsec   Alexandr Oskolkov   06 Sep 2004 23:18:45