[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Quick Mode For Multiple SAs
In message <199809220941.CAA05240@fusebox.pgp.com>, Will Price writes:
> I'm puzzled over the various descriptions throughout the IPSEC documents
> with regards to negotiating multiple SAs simultaneously.
It sounds like you are confused by the difference between negotiating multiple
separate SAs (i.e. two separate ESP SAs), and negotiating multiple, *linked*
SAs (i.e. ESP and IPCOMP).
>
> So, based on the above, there are now three somewhat contradictory ways of
> negotiating multiple SAs at roughly the same time:
>
> 1] Perform multiple Quick Mode exchanges
This creates separate SAs, obviously.
> 2] Transmit multiple SA payloads in each packet [violating the ISAKMP
> requirement]
This also creates separate SAs. This does not violate ISAKMP, btw.
The ISAKMP requirement is that *linked* SAs must be listed together. So if
you're negotiating ESP with IPCOMP, you must send a single SA, with two
proposals that have the same proposal number; this is how the remote knows
that you want the two SAs linked together.
> 3] Use multiple proposals with the same proposal number in one SA payload
> (IMHO, the logical choice...)
Yep, for what you want.
> And so, I suppose it really comes down to what the implementations are
> actually doing. If someone wants to negotiate ESP with IPCOMP, do we use
> 1, 2, or 3?
You *must* use 3 for this case. The other two options create SAAs that are not
related to each other in any way (i.e. two applications that want unique
keying, or an implementation that wants to negotiate multiple SAs, where each
SA is activated when a previous one expires).
--
Harald
References: