[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: why the SAs are unidirectional

To: andrew.krywaniuk@alcatel.com
Subject: RE: why the SAs are unidirectional
From: Paul Koning <pkoning@equallogic.com>
Date: Mon, 18 Feb 2002 20:24:58 -0500
Cc: Radia.Perlman@sun.com, sommerfeld@east.sun.com, 867@nu.edu.pk, ipsec@lists.tislabs.com
References: <200202182058.PAA03976@bcn.East.Sun.COM><000401c1b8c1$43700be0$1e72788a@ca.alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Excerpt of message (sent 18 February 2002) by Andrew Krywaniuk:
> At this point, it just comes down to what you want to name things. In IPsec,
> an SA is unidirectional object with a 32 bit id, so we're stuck with that.
> Since IKE does all its operations on pairs of SAs, it is very easy to create
> a "Bidirectional SA" abstraction that has two 33 bit ids.

Radia brings up a good point, though.  Yes, the fundamental construct
in IPsec is an SA, which is unidirectional, so they are created in
pairs to make a bidirectional channel.

Unfortunately, this is a somewhat messy graft on top of the basic
mechanism.  The protocol really treats each SA as separate, and the
fact that the pairs need to go together is something that requires
constant care and attention and lots of ugly code in IKE.

Compare with SSL, where the bidirectional channel is a fundamental
construct, not a kluge patched on top of unidirectional channels.

	   paul

Follow-Ups:
- Re: why the SAs are unidirectional
  - From: Markku Savela <msa@burp.tkv.asdf.org>

References:
- RE: why the SAs are unidirectional
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
- RE: why the SAs are unidirectional
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: why the SAs are unidirectional
Next by Date: Re: RESEND: Thoughts on identity attacks
Prev by thread: RE: why the SAs are unidirectional
Next by thread: Re: why the SAs are unidirectional
Index(es):
- Date
- Thread