SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities

["Theodore Ts'o" <tytso@mit.edu>]

Please discuss and answer this question:


4.2 Creating multiple SAs for a single pair of entities

4.2.A) How important is it that SOI be able to create multiple SA's
between a pair of entities "cheaply"?

4.2.B) How often will usage scenarios of SOI need to generate multiple
SA's between a single pair of entites?

Implications from the Scenarios:

VPN: <<<The cost of authentication must also be factored into the
total cost; this will be different for different mechanisms, which
results in a decision of scalability -vs- processing overhead. In
certain cases, it may be desirable to amortize the cost of the key
management across multiple tunnels.>>> [[[4.2]]]

VPN, End-to-END, SRA : <<<QoS increases the probability of multiple
tunnels between a pair of SGWs. Also, negotiation of IPsec tunnels
needs to accommodate QoS information, predominantly in the set of
selectors used to identify the contents of any particular IPsec
tunnel.>>> [[[4.2]]]

SRA: <<<While this does not mandate user authentication to happen
within the SOI exchange, it's strongly encouraged that the protocol
directly or indirectly associate a single user authentication exchange
with a group of IPsec tunnels between a client and an RAS.>>>
[[[4.2]]]

SRA: <<<For example, this may mean that SOI will need to allow for the
client to present its identity (or some "blob of bits" that the server
can correctly map to an identity) early in the exchange.>>> [[[4.2]]]