[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why the SAs are unidirectional

To: ipsec@lists.tislabs.com
Subject: Re: why the SAs are unidirectional
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Tue, 19 Feb 2002 09:12:53 +0200
In-reply-to: <15473.43370.526000.819610@gargle.gargle.HOWL> (message from PaulKoning on Mon, 18 Feb 2002 20:24:58 -0500)
References: <200202182058.PAA03976@bcn.East.Sun.COM><000401c1b8c1$43700be0$1e72788a@ca.alcatel.com> <15473.43370.526000.819610@gargle.gargle.HOWL>
Sender: owner-ipsec@lists.tislabs.com


> Unfortunately, this is a somewhat messy graft on top of the basic
> mechanism.  The protocol really treats each SA as separate, and the
> fact that the pairs need to go together is something that requires
> constant care and attention and lots of ugly code in IKE.

Which is why it shouldn't have tried that in the first place. As I
have said several times, IPSEC would work just fine if key negotiation
just negetiated a key for unidirectional SA. Very simple compared to
the current mess.

Follow-Ups:
- Re: why the SAs are unidirectional
  - From: Dan Harkins <dharkins@tibernian.com>

References:
- RE: why the SAs are unidirectional
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
- RE: why the SAs are unidirectional
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
- RE: why the SAs are unidirectional
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: RESEND: Thoughts on identity attacks
Next by Date: RE: why the SAs are unidirectional
Prev by thread: RE: why the SAs are unidirectional
Next by thread: Re: why the SAs are unidirectional
Index(es):
- Date
- Thread