Grouping SAs (was Re: How many algorithms per SA/Transform?)

["C. Harald Koch" <chk@utcc.utoronto.ca>]

In message <199703061758.MAA09960@carp.morningstar.com>, Ben Rogers writes:
> 
>         A single IPsec Security Association is a simplex (unidirectional)
>    connection with which either AH or ESP (but not both) is employed.  If both
>    AH and ESP protection is to be applied to a traffic stream, then two (or
>    more) security associations are created to control processing of the
>    traffic stream.
> 
> To me, this seems to be a clarifcation of RFC1825, and not a change in
> intent.  Is this not the case?

Which brings us back to an old question: what do you call the set of
Security Associations that describe the actual desired results, as in

"use AH(HMAC-ND5) for authentication, ESP(DES)(tunnel mode) for encryption,
     -------------------------------  ------------------------------------
                 SA 1                          SA 2

and only accept traffic that has AH(HMAC-MD5) , ESP(DES)(tunnel mode)."
                                  -----------   ---------------------
                                      SA 3              SA 4


Is this perhaps a "Security Association Bundle"? Anyone got a better name?

-- 
Harald Koch
chk@utcc.utoronto.ca

---

Follow-Ups:

• Re: Grouping SAs (was Re: How many algorithms per SA/Transform?)
• From: Norman Shulman <norm@border.com>
• Grouping SAs (was Re: How many algorithms per SA/Transform?)
• From: Ben Rogers <ben@Ascend.COM>

References:

• Re: How many algorithms per SA/Transform?
• From: Naganand Doraswamy <naganand@ftp.com>
• Re: How many algorithms per SA/Transform?
• From: Ben Rogers <ben@Ascend.COM>

---

• Prev by Date: Re: How many algorithms per SA/Transform?
• Next by Date: Re: truncation
• Next by thread: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
• Index(es):
  • Main
  • Thread