[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Q about SA bundles

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: Q about SA bundles
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Mon, 18 Jan 1999 10:27:11 -0800
Sender: owner-ipsec@ex.tis.com

Howdy ()

	OK, so everyone knows from ARCH sec 4.1 that:
 "Security services are afforeded to an SA by the use of AH, or  ESP, but
not both. IF both AH and ESP prtection is applied to a traffic stream, then
two (or more) SAs are created to afford protection to the traffic stream."

	Why is this? What was the original thinking that went into this
"seperation of SAs" requirement. One could envision a standardized
architecture which called for bundeling ordered security services under a
single SA. Then the SA managemnet construct would have modled very closly
the virtual link. That would have been an nice modle for VPN management. 

	So, what were the cons to 'grand unifying' SAs? This is only a point
of curiosity for me since the IPSec ARCH is obvoiusly well understood and
widely implemented (including at my company).


###################################
#  Ricky Charlet
#   rcharlet@RedCreek.com
#  (510) 795-6903
###################################
end Howdy;

Ricky

Follow-Ups:

Re: Q about SA bundles

From: Stephen Kent <kent@bbn.com>

Re: Q about SA bundles

From: Markku Savela <msa@anise.tte.vtt.fi>

Prev by Date: RE: ISAKMP Query
Next by Date: IPsec vs L2TP
Prev by thread: RE: ISAKMP Query
Next by thread: Re: Q about SA bundles
Index(es):
- Main
- Thread