RE: IPsec…

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Grant,

Please find replies inline,

> Thank you for the reply Ankit.

> On 10/25/2018 10:43 PM, Sinha, Ankit Kumar (HPE Aruba) wrote:
>> SELECTOR and UPSEC in state (SA) is an optional parameter.

> That's what I thought.

>> If one want to configure it for state it must match with what is given 
>> in policy SELECTOR and UPSEC.

> Is it possible to have the SELECTOR and UPSEC more specific on the state 
> (SA) than on the policy?

It is not possible. SELECTOR and UPSEC must be same for SA and policy.

> I.e. SELECTOR / UPSEC that specify a protocol (and possibly ports) when 
> the policy just matches source / destination?

> Granted, I don't think I would want to do this.  I'm just wondering if 
> it's possible.  (I've obviously not tested yet.)

> I'm trying to understand what is possible and why someone might choose 
> to do something, or not.  Motivations vs possibility.

I am not aware of any specific motivation/possibility to do this. Though I am
keen to know that.
 
>> You can very well use same state (SA) for multiple policy if you don't 
>> specify SELECTOR for state.

>That's what I thought was the case.  Thank you for confirming.

>> As per understanding SELECTOR and UPSEC options in state (SA) is given 
>> to make it more specific to policy.

> I agree that such is possible.  I'm trying to understand why someone 
> would want to do that.  It's my understanding that the policy specifies 
> the state (SA) via the reqid.  As such, it's not a possibility that the 
> wrong state (SA) can be used.  Thus I don't see the need for the 
> additional SELECTOR / UPSEC in the state (SA).

It not always true that policy specifies the SA via reqid. reqid is optional parameter
but can be used when we have multiple templates in policy to identify
corresponding SA. As per my understanding only ID which contains SPI is enough
to map policy and SA.

But I agree with you that for manual IPsec configuration there is no need of addition
SELECTOR / UPSEC in SA. I am not sure if ike may have any possibility hence linux kernel
supports it. In turn ip xfrm has those options.

-- 
Grant. . . .
unix || die
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux