[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Q about SA bundles
Howdy ()
So let me see if I got this right:
IPSEC allows for the sharing of one SA among many SA bundles.
ISAKMP does not allow for the negotiation of new bundles which make use of a
pre-existing / shared SA.
And furthermore there is a MIB draft out which also will not allow SA
sharing among bundles. (will others <verify | contradict> my reading here)?
So it either takes draft work on ISAKMP and MIB to preserve the sharing /
reuse ideas or we admit that sharing/reuse of SAs among different bundles
will not happen in IPSEC.
Just honestly trying to come up to speed... is this where we are?
###################################
# Ricky Charlet
# rcharlet@RedCreek.com
# (510) 795-6903
###################################
end Howdy;
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Tuesday, January 19, 1999 9:08 AM
> To: Ricky Charlet
> Cc: 'ipsec@tis.com'
> Subject: Re: Q about SA bundles
>
>
> Ricky,
>
> That's a fair question.
>
> Originally, one could have an SA that embraced both AH and
> ESP, but they
> became separated some time ago, as part of the refinement of the IPsec
> architecture, and the fleshing out of the ESP definition. Also, the
> definition of an SA changed to call for inclusion of the
> IPsec protocol as
> part of the triple (dest addr, protocol, and SPI).
>
> I think a (the?) major motivation for this separation is the
> desire to be
> able to share SAs among multiple traffic flows, which argues
> for more the
> discrete definition of SAs that we now have.
>
> Steve
>