[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: why the SAs are unidirectional

To: <sommerfeld@east.sun.com>, "'867'" <867@nu.edu.pk>
Subject: RE: why the SAs are unidirectional
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Mon, 18 Feb 2002 14:09:50 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200202181729.g1IHTmsY012966@ack.east.sun.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Also, it's because you want to have different sequence numbers in each
direction.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Bill Sommerfeld
> Sent: Monday, February 18, 2002 12:30 PM
> To: 867
> Cc: 'ipsec@lists.tislabs.com'
> Subject: Re: why the SAs are unidirectional
>
>
> > I have a query regarding SAs (Security Associations ), why
> SAs are defined
> > in one direction. Separate for inbound and outbond traffic.
> Why are they not
> > defined in both ways.
>
> 1) reusing the same key in both directions makes reflection attacks
> easier; using a different key makes them much harder.
>
> 2) reusing the same SPI in both directions is impossible in general
> since the owner of each destination address controls/allocates its own
> inbound SPI space.
>
> Most key management protocols create pairs of SA's, one in each
> direction.
>

References:
- Re: why the SAs are unidirectional
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: why the SAs are unidirectional
Next by Date: RE: why the SAs are unidirectional
Prev by thread: Re: why the SAs are unidirectional
Next by thread: RE: why the SAs are unidirectional
Index(es):
- Date
- Thread