Re: How many algorithms per SA/Transform?

[Ran Atkinson <rja@inet.org>]

--- On Thu, 6 Mar 1997 12:58:25 -0500 (EST)  Ben Rogers <ben@Ascend.COM> wrote:

> >From the latest draft (draft-ietf-ipsec-arch-sec-01.txt), I understand
> that that you should never have more than one transform per SA:
> 
> 1.5 Security Association Management
> 
> ...
> 
>         A single IPsec Security Association is a simplex (unidirectional)
>    connection with which either AH or ESP (but not both) is employed.  If both
>    AH and ESP protection is to be applied to a traffic stream, then two (or
>    more) security associations are created to control processing of the
>    traffic stream.
> 
> To me, this seems to be a clarifcation of RFC1825, and not a change in
> intent.  Is this not the case?

What you say makes sense to me, as the editor of RFC-1825.

I will note, however, that with the Combined ESP transform one somewhat
obviates the need for end-to-end AH+ESP that existed when RFC-1828/RFC-1829 
were the only standards-track transforms.

There might be legitimate situations where ESP were used from H1 to H2
and a tunnel-mode AH were in use from R1 to R2, where H1,H2 are IPsec-
capable hosts and R1,R2 are IPsec-capable encrypting routers (aka
security gateways), and the topology were loosely described as:
	H1----R1---[IP cloud]---R2---H2

This situation would cause the packets on the wire between R1 and R2 to look
something like this:
	[IP, R1->R2][AH][IP, H1->H2][ESP[user data]]

Ran
rja@inet.org

---

References:

• Re: How many algorithms per SA/Transform?
• From: Ben Rogers <ben@Ascend.COM>

---

• Prev by Date: Re: transport vs network and ipsec syn
• Next by Date: Re: question about draft semantics
• Next by thread: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
• Index(es):
  • Main
  • Thread