[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: why the SAs are unidirectional
> I have a query regarding SAs (Security Associations ), why SAs are defined
> in one direction. Separate for inbound and outbond traffic. Why are they not
> defined in both ways.
1) reusing the same key in both directions makes reflection attacks
easier; using a different key makes them much harder.
2) reusing the same SPI in both directions is impossible in general
since the owner of each destination address controls/allocates its own
inbound SPI space.
Most key management protocols create pairs of SA's, one in each
direction.