Re: Bundle or not in negotiation

["Scott G. Kelly" <skelly@redcreek.com>]

Mohan Parthasarathy wrote:
<trimmed...>
> Assume i wait until all negotiations are finished. What is wrong with
> negotiating them separately, except for some slow performance ? Assume the
> policy does not mandate unique SAs i.e sharing of SAs are permitted, what
> is wrong in having AH and ESP SA separately ? Some other connection may want
> to use just the AH SA and not the ESP SA. Some connection may want use both
> of them.  Is there any reason to bundle them together ?
> 

This nails another point that's been nagging at me lately: the
architecture explicitly permits sharing of SAs, which I take to mean
between different endpoints which match the policy rule used to
instantiate the SAs to begin with. However, there is no way (that I can
see) to negotiate this in IKE. That is, once the SA is instantiated,
there doesn't seem to be any way to negotiate the addition of more
endpoints to it. It appears that fresh SAs must be negotiated, with new
keys, etc. My first thought was that I could just pass the SPI of the
instantiated SA in the later negotiations, but there's no way to
indicate that the original keying material should be shared. Am I way
out there on this, or should we think about a way to permit this in IKE?

---

Follow-Ups:

• RE: Bundle or not in negotiation
• From: "Jeff Carr" <jcarr@broadcom.com>

References:

• Re: Bundle or not in negotiation
• From: Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.Com>

---

• Prev by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
• Next by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
• Next by thread: marketing misuse of IPSECond efforts
• Index(es):
  • Main
  • Thread