[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: why the SAs are unidirectional

To: sommerfeld@east.sun.com, 867@nu.edu.pk, andrew.krywaniuk@alcatel.com
Subject: RE: why the SAs are unidirectional
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Mon, 18 Feb 2002 15:58:59 -0500 (EST)
Cc: ipsec@lists.tislabs.com
Reply-To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

>>"867" (is that really your name? :-) ) asked why Ipsec SAs unidirectional.
>>Bill Sommerfeld and Andrew Krywaniuk pointed out that it is useful
>>to have separate keys, SPIs and sequence numbers in the two directions.

There's no reason why you can't create a bidirectional SA with different
SPIs, sequence numbers, and keys in the two directions. For instance, SSL
has different keys for the two directions. IKEv1 should have but didn't.

You really wouldn't want to create a true unidirectional SA, since it
is hard to tell if it's a black hole. So IPsec SAs get created in pairs, and
sometimes it's awkward to match up what the proper SA in the other direction
is in case you'd want to send an error message.

Radia

Follow-Ups:
- Re: why the SAs are unidirectional
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- RE: why the SAs are unidirectional
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: why the SAs are unidirectional
Next by Date: Re: why the SAs are unidirectional
Prev by thread: RE: why the SAs are unidirectional
Next by thread: Re: why the SAs are unidirectional
Index(es):
- Date
- Thread