[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: why the SAs are unidirectional
ranjeet barve <ranjeet_barve@yahoo.co.in> writes:
> Does this mean that the Property of an SA being
> Uni-Directional allows the existence of the following
> scenario
>
> Policy Database:
> Peer 1 Peer2
> Inbound ESP Tunnel(3DES) AH Tunnel(HMAC-MD5)
>
> Outbound AH Tunnel(HMAC-MD5) ESP Tunnel(3DES)
>
> Thus no matter who initiates a connection, whenever
> Peer1 sends data to Peer2, AH Tunnel mode will be used
> and when Peer 2 sends data to Peer 1, ESP Tunnel mode
> will be used.
Theoretically, yes, you could setup a pair of peers with this type of
configuration, although I don't think IKE would actually be able to
negotiate such a result.
> Also if IKE is used for SA exchange, 4 SAs will be
> created at each Peer, two for AH Tunnel mode and two
> for ESP Tunnel Mode.
> Please correct me if I am wrong.
Well, this is confusing. If you assumed that IKE could negotiation
non-symmetric protection, then no, only TWO SAs will be created at
east Peer. Each peer has ONE INBOUND and ONE OUTBOUND SA. So,
yes, there are four SAs in total, but only two per peer.
> Does the Initiator of the Data transfer Dominate the
> type of IPsec Tunneling between the Peers? e.g if Peer
> 1 initiates the Data Transfer, then the AH Tunnel mode
> SAs will be used for Data transfer between the peers
> till the SAs expire or the Connection Terminates.
No, the two IKE peers MUST agree on on the protection suite.
> Regards,
> Ranjeet Barve.
> M.Tech, IITB.
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com