[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
:
:Now a single ISAKMP Phase 2 SA negotiation can contain a proposal that
:specifies both AH and ESP protocols. So shouldn't a single Phase 2 SA
:negotiation result in four SAs (SA-AH-In, SA-AH-Out, SA-ESP-In, SA-ESP-Out)
:not two as stated in draft-ietf-ipsec-isakmp-oakley-06.txt?
Ipsec arch document just states that _logically_ one SA corresponds to
exactly one IPsec protocol (ESP or AH) and exactly one SPI value being
choosen by the traffic receiver.
ISAKMP documents states that (due to the protocol design and it SA payload
format)
single phase 2 SA negotiation results, at minimum, to two SAs - one inbound and
one outbound. However, if a proposal includes both ESP and AH protocols,
then each would require separate SA and _due to_ ISAKMP design both inbound
and outbound SAs will be negotiated at the same time. Each will have own SPI!
(ESP+AH)*(inbound+outbout)=(1+1)*(1+)=4 ;-)))
I understand you confusion, because during ISKAMP design time
the was an attepmt to minimize the computation overhead required for
establishment of bi-directional secured channel, which is most common
in the current internetworking.
The ISKAMP authors just, IMO,unreasonably excluded a possibility to negotiate
exactly one _unidirectional_ SA. That would lead to problems later when
implementing, say, different policies for inbound and out bound traffic.
:
:--
:Will Fiveash
:IBM AIX System Development Internet: will@austin.ibm.com
:11400 Burnet Road, Bld.905/9551 Notes: will@austin.ibm.com@internet
:Austin, TX 78758-3493 Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904
:
--Alexei
Follow-Ups: