[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Grouping SAs (was Re: How many algorithms per SA/Transform?)
In message <199703061758.MAA09960@carp.morningstar.com>, Ben Rogers writes:
>
> A single IPsec Security Association is a simplex (unidirectional)
> connection with which either AH or ESP (but not both) is employed. If both
> AH and ESP protection is to be applied to a traffic stream, then two (or
> more) security associations are created to control processing of the
> traffic stream.
>
> To me, this seems to be a clarifcation of RFC1825, and not a change in
> intent. Is this not the case?
Which brings us back to an old question: what do you call the set of
Security Associations that describe the actual desired results, as in
"use AH(HMAC-ND5) for authentication, ESP(DES)(tunnel mode) for encryption,
------------------------------- ------------------------------------
SA 1 SA 2
and only accept traffic that has AH(HMAC-MD5) , ESP(DES)(tunnel mode)."
----------- ---------------------
SA 3 SA 4
Is this perhaps a "Security Association Bundle"? Anyone got a better name?
--
Harald Koch
chk@utcc.utoronto.ca
Follow-Ups:
References: