[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
[. . . ]
:Is the SA above considered a single SA negotiation as specified in the
:following sentence?:
:
: A single SA negotiation results in two security assocations-- one
: inbound and one outbound.
At least two, depending on 'Proposal' payloads contents.
If two proposals with the same number exist, then more SAs would
be negotiated.
:Or does the SA payload contain multiple SA negotiations (one for AH and
:another for ESP)?
SA payload is followed by proposal payload(s), the latests are responsible
for actual SAs creation, since carry reservation for SPI values.
:Or do I have to use (note the seperate SA payloads):
:
: Initiator Responder
: ----------- -----------
: HDR*, HASH(1), SA0, SA1, Ni,
: [, KE ] [, IDci, IDcr ] -->
: <-- HDR*, HASH(2), SA0, SA1, Nr,
: [, KE ] [, IDci, IDcr ]
: HDR*, HASH(3) -->
:
:to negotiate and create a IPSec tunnel that uses AH and ESP?
OOPS, the above case corresponds to whatever called a SA bundle.
SA bundle is used for negotiating SAs overlapped by lifetime.
Thus when SA0 get expired, SA1 is ready to be used without additional
negotiations.
:If a single
:SA payload can only negotiate for one protocol then this needs to be
:clearly stated in the isakmp-oakley draft.
For example, one can send proposal of form
(ESP and AH) or (AH) or (ESP). So a question to you: how many SAs would
be finally negotiated, having in mind that responder has to answer only
with one of above proposals being enclosed in brackets. ? ;-)
[. . .]
--Alexei