[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why the SAs are unidirectional

To: 867 <867@nu.edu.pk>
Subject: Re: why the SAs are unidirectional
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Mon, 18 Feb 2002 12:29:47 -0500
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: Your message of "Mon, 18 Feb 2002 20:31:16 +0500." <4F7DD203738DD411B71A00B0D03DDECC034A21F6@highway>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> I have a query regarding SAs (Security Associations ), why SAs are defined
> in one direction. Separate for inbound and outbond traffic. Why are they not
> defined in both ways.

1) reusing the same key in both directions makes reflection attacks
easier; using a different key makes them much harder.

2) reusing the same SPI in both directions is impossible in general
since the owner of each destination address controls/allocates its own
inbound SPI space.

Most key management protocols create pairs of SA's, one in each
direction.

Follow-Ups:
- RE: why the SAs are unidirectional
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:
- why the SAs are unidirectional
  - From: 867 <867@nu.edu.pk>

Prev by Date: why the SAs are unidirectional
Next by Date: RE: why the SAs are unidirectional
Prev by thread: why the SAs are unidirectional
Next by thread: RE: why the SAs are unidirectional
Index(es):
- Date
- Thread