[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: users and connections

> However, if we have TCP operating above IPSEC, and we are employing
> integrity (with or without anti-replay) then we are supporting
> connection-oriented integrity provided by TCP, even though IPSEC is
> not providing this service per se.

This is true *if* the TCP connections are (somehow or other) "bound"
to the IPSEC SA's (or, more correctly, since SA's may expire in the
middle of a connection, the principals which "own" the SA's).

					- Bill