[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec SA proposal of IKE

To: ipsec@lists.tislabs.com
Subject: IPsec SA proposal of IKE
From: sakane@ydc.co.jp
Date: Fri, 16 Jul 1999 10:00:58 +0900 (JST)
Sender: owner-ipsec@lists.tislabs.com

Hi folks, I'd like to make sense. 

	A <------------------> B
	   [IP][AH][ESP][ULP]

When we want to use SA bundle of AH and ESP constructed like above,
what should we do phase 2 of IKE ?

	1) we MUST do one quick mode.
	2) we SHOULD do one quick mode, and MAY do two quick mode.

There may be the situation when I want to make AH-SA between node
A and node B after ESP-SA was negotiated.  Of course, we can do
negotiate by using one quick mode with SA bundle after we delete
old policy.  So 2) seems good for interoperability.
But there may be policy problem.

1) means,
	A                           B
	-----------                 -----------
	HDR*, ...SA(AH+ESP)... -->
	                       <--  HDR*, ...SA(AH+ESP)...

2) means,
	A                           B
	-----------                 -----------
	HDR*, ...SA(AH+ESP)... -->
	                       <--  HDR*, ...SA(AH+ESP)...
    or
	A                           B
	-----------                 -----------
	HDR*, ...SA(AH)...     -->
	                       <--  HDR*, ...SA(AH)...

	HDR*, ...SA(ESP)...    -->
	                       <--  HDR*, ...SA(ESP)...

/Shoichi `NE' Sakane @ KAME project/

Follow-Ups:

Re: IPsec SA proposal of IKE

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: your mail
Next by Date: Re: your mail
Prev by thread: Re: starting on asking THE QUESTION
Next by thread: Re: IPsec SA proposal of IKE
Index(es):
- Main
- Thread