[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Clarification and a single SA

To: "'ipsec@tis.com'" <ipsec@tis.com>, "'suren@teil.soft.net'" <suren@teil.soft.net>
Subject: RE: Clarification and a single SA
From: "Edward A. Russell" <erussell@ftp.com>
Date: Fri, 16 May 1997 15:17:58 -0400
Sender: owner-ipsec@ex.tis.com

>>S. Arockia Suren (suren@teil.soft.net) said on  5/16/97 at 10:46 AM
>
>
> ISAKMP SAs are bidrectional because any of the negotiators can
>start phase2. Similarly after oakley negotiations any party can start to
>send IP packets. I would like to know if the later would be true in the
>future also. Does ISAKMP allow negotiations that will be used in only
>one direction inspite of SPIs exchanged.
>
>Suren.
>

The last question in the above paragrah is getting lost.  ISAKMP does not allow
for a SINGLE one way SA to be negotiated.  Always an identical pair (in terms of policy).
This is unfortunate since it may be desirable to have bulk outbound transfers of secure
data be encrypted, but the inbound acks could be only authenticated or even in the clear
in order to save processing time.

I suppose there is nothing to prevent TWO pairs of SAs from being
negotiated (an secure Inbound/Outbound pair which is really only used for outbound, and an
insecure Inbound/Outbound pair which is really only used for inbound) but that
seems a bit wasteful and requires some input from the system's policy or application as to which
outbound SA to use, for example.


Edward Russell
erussell@ftp.com

Prev by Date: Re: ESP revisions straw poll
Next by Date: Re: Clarification please!
Prev by thread: Re: Clarification please!
Next by thread: Workshop announcement
Index(es):
- Main
- Thread