[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Terminology: what do you call a set of related SA/SPI's?

To: ipsec@tis.com
Subject: Terminology: what do you call a set of related SA/SPI's?
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 03 Dec 1996 15:34:27 -0500
Sender: owner-ipsec@ex.tis.com

The current ipsec architecture documents define a "security
association" as a unidirectional link; if you want communication in
both directions (the normal case at least with today's apps), you need
a pair of SA/SPI's.

If you're using both AH and ESP at the same time, you need *two* SPI's
in each direction (though this is less likely with the current "grand
unified transforms").

If you're doing regular key changes and expiring SA's/SPI's, the
"relationship" between the communicating principals may outlast the
lifetime of individual SA's..  [I don't see this explicitly stated,
but I don't see a way to cleanly rekey an active SA without changing
the SPI number].

I think we need a name for a higher-level relationship between
principals involving multiple SA/SPI's..  Unfortunately, "security
association" is already taken.

I'm real bad at naming.  Anyone got any bright ideas?

						- Bill

Follow-Ups:

Terminology: what do you call a set of related SA/SPI's?

From: Ben Rogers <ben@morningstar.com>

Prev by Date: San Jose Agenda for IPsec
Next by Date: SA lifetime and key lifetime
Prev by thread: Re: San Jose Agenda for IPsec
Next by thread: Terminology: what do you call a set of related SA/SPI's?
Index(es):
- Main
- Thread