[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clarification please!
>I've heard these tossed around by myself and others from time to time:
>
> SA PAIR - A pair of unidirectional SAs that provide protection
> on a unicast session by covering each direction. They
> are otherwise matched.
>Any comments?
>
Dan,
I've used the term SA PAIR as well. Now, suppose HOST A wants to talk to
HOST B using AH-ESP(transport) w/3DES end2end. To further complicate things,
suppose that both HOST A and B are required to use AH with their Security
Gateways (A' and B') for all outgoing traffic as depicted below:
|---------- AH-ESP(transport)-----------|
HOST A ------- A' ------------ B'------ HOST B
|---AH-- -| |---AH---|
Using your notation, HOST A would have 3 SA PAIRs "related" to the same session:
e.g. SA spi=0x1001001, ESP, 3DES, <no auth>, A -> B
SA spi=0x5150000, ESP, 3DES, <no auth>, B -> A
SA spi=0x2112, AH, HMAC-MD5, A -> B
SA spi=0x5150, AH, HMAC-MD5, B -> A
SA spi=0x82069, AH, HMAC-SHA1, A -> A'
SA spi=0x10738, AH, HMAC-SHA1, A' -> A
HOST B would have an equivalent set of SA PAIRs. It might be useful to have
a way to describe this SA relationship too. Perhaps we could define:
SA Composite (SAC)= {Set of SA PAIRs related to the same unicast session}
>I'd call it an asymmetric pair, myself. A "bundle" conjures up a more
>general concept --- I'd use it to describe things like "use AH with
>spi xxxx and ESP with spi xxxx outgoing, and expect AH with spi yyyy
>and ESP with spi yyyy incoming" etc.
"SA Bundles" per Hilarie's definition could be elements of a SAC.
Luis