[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Terminology: what do you call a set of related SA/SPI's?
I've been simply using "SA pairs." Do we need anything more than
that?
______________________________ Reply Separator _________________________________
Subject: Terminology: what do you call a set of related SA/SPI's?
Author: Bill Sommerfeld <sommerfeld@apollo.hp.com> at internet-mail
Date: 12/3/96 4:29 PM
The current ipsec architecture documents define a "security
association" as a unidirectional link; if you want communication in
both directions (the normal case at least with today's apps), you need
a pair of SA/SPI's.
If you're using both AH and ESP at the same time, you need *two* SPI's
in each direction (though this is less likely with the current "grand
unified transforms").
If you're doing regular key changes and expiring SA's/SPI's, the
"relationship" between the communicating principals may outlast the
lifetime of individual SA's.. [I don't see this explicitly stated,
but I don't see a way to cleanly rekey an active SA without changing
the SPI number].
I think we need a name for a higher-level relationship between
principals involving multiple SA/SPI's.. Unfortunately, "security
association" is already taken.
I'm real bad at naming. Anyone got any bright ideas?
- Bill
Follow-Ups: