[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec SA proposal of IKE
It's #1, you do one quick mode.
Dan.
On Fri, 16 Jul 1999 10:00:58 +0900 you wrote
> Hi folks, I'd like to make sense.
>
> A <------------------> B
> [IP][AH][ESP][ULP]
>
> When we want to use SA bundle of AH and ESP constructed like above,
> what should we do phase 2 of IKE ?
>
> 1) we MUST do one quick mode.
> 2) we SHOULD do one quick mode, and MAY do two quick mode.
>
> There may be the situation when I want to make AH-SA between node
> A and node B after ESP-SA was negotiated. Of course, we can do
> negotiate by using one quick mode with SA bundle after we delete
> old policy. So 2) seems good for interoperability.
> But there may be policy problem.
>
> 1) means,
> A B
> ----------- -----------
> HDR*, ...SA(AH+ESP)... -->
> <-- HDR*, ...SA(AH+ESP)...
>
> 2) means,
> A B
> ----------- -----------
> HDR*, ...SA(AH+ESP)... -->
> <-- HDR*, ...SA(AH+ESP)...
> or
> A B
> ----------- -----------
> HDR*, ...SA(AH)... -->
> <-- HDR*, ...SA(AH)...
>
> HDR*, ...SA(ESP)... -->
> <-- HDR*, ...SA(ESP)...
>
> /Shoichi `NE' Sakane @ KAME project/
References: