Re: ISAKMP DOI Question (General, Not IP Specific)

["Elfed T. Weaver" <weaver@hydra.dra.hmg.gb>]

Richard

> - There can only be one SA between two machines at a given time.

I suppose this depends on who owns the SA i.e. if the owner of an SA 
is identified by the IP addr only (and a host only has one IP addr) 
then IMHO there can be only one pair of unidirectional SAs between any pair of 
machines. Clearly, if SAs are  associated with protocol numbers, user 
ids ?..., then many SAs can exist between any pair of hosts. 

> Therefore since there can only be one DOI to an SA, there can only
> be one DOI active between two machines at a given time. 

Many SAs may be established/exist within any DOI ?
 
> I can't find this in the standard. I understand "one DOI to an SA" but
> not "one SA between two machines at a given time"  What am I overlooking
> ?

Establishment of multiple SAs in one SA proposal can only be done for 
one DOI i.e. you cannot establish 2 SAs for 2 different DOIs within the same
message exchange sequence.


> My concern is that in my context I can have multiple independent types
> of applications running between a pair of machines at a given time.  And
> each application type has independently defined security properties that
> must be negotiated. It had been my intent to at least consider modeling
> each application type as a different DOI. But if the above reported
> statement is correct this approach can't be used.
 
IMHO you do not have to define, and use, multiple DOIs to permit you to 
use multiple applications - just associate the application with the SA.

****************************************************

Elfed T. Weaver
Defence Research Agency
Malvern
UK

weaver@hydra.dra.hmg.gb

---

• Prev by Date: Re: key life attributes (Was: Re: FW: tunnel mode)
• Next by Date: DOIs
• Prev by thread: RE: FW: tunnel mode
• Next by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
• Index(es):
  • Main
  • Thread