[anonsec] BYPASS OR PROTECT

Michael Richardson mcr at sandelman.ca
Fri May 11 15:56:54 PDT 2007 

Stephen Kent wrote:
>>     Stephen> Does the spec say that it is used ONLY by a responder? If
>>     Stephen> so, then your wording sounds better. If not, ...
>>

> At 1:09 PM -0400 4/4/07, Michael Richardson wrote:
>>   1) BTNS says nothing about how nodes know to do BTNS. We explicitely
>>      left out discovery.
>>      So, an initiator would have to some some PAD/SPD entry that told it
>>      to do something.
>>
>>      If that thing was "PROTECT IF REQUESTED", and the application
>>      requested protection, then that wording would fit.

Stephen Kent wrote:
> I was focusing on the requester being the peer, not the application 
> triggering SA creation.
> 
> I am still a bit confused. Are you saying that if an app requests 
> IPsec protection for a connection then this entry will try to create 
> an SA, but it will not try to create an SA if the app does not 
> request it? I guess I tend to think in PAD/SPD -centric terms, not 

   Yes. This is not the same as inserting a PAD/SPD entry that creates an SA 
upon the first packet (with or without the "populate from packet" option).

> I also see a possible disconnect here. Consider an SPD entry that 
> supports our new "PROTECT IF X" feature and that entry is a tunnel 
> for ALL TCP traffic between Host A and Host B. Let's say that one app 

   I agree that we need to decide whether or not to "migrate" the traffic or 
not. This is an interoperability issue.
   The applications which did *NOT* request the SA, are presumably happy 
(i.e. "secure") even if they don't get IPsec protection.  Probably they don't 
even know anything about it.  How is this any different than suddenly turning 
on that bump-in-the-wire site-to-site IPsec gateway?

   I don't like the term "migrate", because I wouldn't have had a "BYPASS" 
entry for the traffic in the clear. The traffic went in the clear because it 
fell off the end of the SPD, and the default was clear (vs drop).

> does not request an SA between A and B, and so an unprotected TCP 
> connection is established. Then a second app requests an SA, if 
> possible. Do we create a tunnel and migrate the old, unprotected 
> traffic to the tunnel? If not, we would seem to have a conflict 
> between two SAD entries, one labelled BYPASS and one ESP, with the 
> same scope (based on the SPD entry I described above). have we 
> discussed this scenario before, and if so, what was the conclusion?
>

More information about the ANONSEC mailing list