[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Terminology: what do you call a set of related SA/SPI's?

To: ipsec@tis.com, Bill Sommerfeld <sommerfeld@apollo.hp.com>
Subject: Re: Terminology: what do you call a set of related SA/SPI's?
From: "Whelan, Bill" <bwhelan@nei.com>
Date: Tue, 03 Dec 96 16:33:08 EST
Sender: owner-ipsec@ex.tis.com

     I've been simply using "SA pairs."  Do we need anything more than 
     that?

______________________________ Reply Separator _________________________________
Subject: Terminology: what do you call a set of related SA/SPI's?
Author:  Bill Sommerfeld <sommerfeld@apollo.hp.com> at internet-mail
Date:    12/3/96 4:29 PM

The current ipsec architecture documents define a "security 
association" as a unidirectional link; if you want communication in 
both directions (the normal case at least with today's apps), you need 
a pair of SA/SPI's.

If you're using both AH and ESP at the same time, you need *two* SPI's 
in each direction (though this is less likely with the current "grand 
unified transforms").

If you're doing regular key changes and expiring SA's/SPI's, the 
"relationship" between the communicating principals may outlast the 
lifetime of individual SA's..  [I don't see this explicitly stated, 
but I don't see a way to cleanly rekey an active SA without changing 
the SPI number].

I think we need a name for a higher-level relationship between 
principals involving multiple SA/SPI's..  Unfortunately, "security 
association" is already taken.

I'm real bad at naming.  Anyone got any bright ideas?

      - Bill

Follow-Ups:

Re: Terminology: what do you call a set of related SA/SPI's?

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: ISAKMP DELETE payload
Next by Date: Terminology: what do you call a set of related SA/SPI's?
Prev by thread: Terminology: what do you call a set of related SA/SPI's?
Next by thread: Re: Terminology: what do you call a set of related SA/SPI's?
Index(es):
- Main
- Thread