[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How many algorithms per SA/Transform?
--- On Thu, 6 Mar 1997 12:58:25 -0500 (EST) Ben Rogers <ben@Ascend.COM> wrote:
> >From the latest draft (draft-ietf-ipsec-arch-sec-01.txt), I understand
> that that you should never have more than one transform per SA:
>
> 1.5 Security Association Management
>
> ...
>
> A single IPsec Security Association is a simplex (unidirectional)
> connection with which either AH or ESP (but not both) is employed. If both
> AH and ESP protection is to be applied to a traffic stream, then two (or
> more) security associations are created to control processing of the
> traffic stream.
>
> To me, this seems to be a clarifcation of RFC1825, and not a change in
> intent. Is this not the case?
What you say makes sense to me, as the editor of RFC-1825.
I will note, however, that with the Combined ESP transform one somewhat
obviates the need for end-to-end AH+ESP that existed when RFC-1828/RFC-1829
were the only standards-track transforms.
There might be legitimate situations where ESP were used from H1 to H2
and a tunnel-mode AH were in use from R1 to R2, where H1,H2 are IPsec-
capable hosts and R1,R2 are IPsec-capable encrypting routers (aka
security gateways), and the topology were loosely described as:
H1----R1---[IP cloud]---R2---H2
This situation would cause the packets on the wire between R1 and R2 to look
something like this:
[IP, R1->R2][AH][IP, H1->H2][ESP[user data]]
Ran
rja@inet.org
References: