[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q about SA bundles

To: Ricky Charlet <rcharlet@redcreek.com>
Subject: Re: Q about SA bundles
From: Stephen Kent <kent@bbn.com>
Date: Tue, 19 Jan 1999 12:08:18 -0500
Cc: "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: <B74EBB896D29D211A43E00805F650DF2156732@EXCHANGE>
Sender: owner-ipsec@ex.tis.com

Ricky,

That's a fair question.

Originally, one could have an SA that embraced both AH and ESP, but they
became separated some time ago, as part of the refinement of the IPsec
architecture, and the fleshing out of the ESP definition.  Also, the
definition of an SA changed to call for inclusion of the IPsec protocol as
part of the triple (dest addr, protocol, and SPI).

I think a (the?) major motivation for this separation is the desire to be
able to share SAs among multiple traffic flows, which argues for more the
discrete definition of SAs that we now have.

Steve

References:

Q about SA bundles

From: Ricky Charlet <rcharlet@redcreek.com>

Prev by Date: IPsec vs L2TP
Next by Date: Elliptic curves in IPSec [revisited]
Prev by thread: Q about SA bundles
Next by thread: Re: Q about SA bundles
Index(es):
- Main
- Thread