[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
Can someone clear up some confusion I have? In the
draft-ietf-ipsec-isakmp-oakley-06.txt (section 5.5) I see:
"A single SA negotiation results in two security assocations-- one
inbound and one outbound. Different SPIs for each SA (one chosen by
the initiator, the other by the responder) guarantee a different key
for each direction. The SPI chosen by the destination of the SA is
used to derive KEYMAT for that SA."
In draft-ietf-ipsec-arch-sec-03.txt (section 4.1) I see:
"A Security Association (SA) is a simplex "connection" that affords
security services to the traffic carried by it. Security services
are afforded to an SA by the use of AH, or ESP, but not both. If
both AH and ESP protection is applied to a traffic stream, then two
(or more) SAs are created to afford protection to the traffic stream.
To secure typical, bi-directional communication between two hosts, or
between two security gateways, two Security Associations (one in each
direction) are required."
Now a single ISAKMP Phase 2 SA negotiation can contain a proposal that
specifies both AH and ESP protocols. So shouldn't a single Phase 2 SA
negotiation result in four SAs (SA-AH-In, SA-AH-Out, SA-ESP-In, SA-ESP-Out)
not two as stated in draft-ietf-ipsec-isakmp-oakley-06.txt?
--
Will Fiveash
IBM AIX System Development Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551 Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493 Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904