Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair ofentities

[Stephen Kent <kent@bbn.com>]

At 9:43 AM -0400 6/25/02, Theodore Ts'o wrote:
>Please discuss and answer this question:
>
>
>4.2 Creating multiple SAs for a single pair of entities
>
>4.2.A) How important is it that SOI be able to create multiple SA's
>between a pair of entities "cheaply"?

If the cost of creating multiple SAs between two entities is too 
high, it will discourage use of separate keys for distinct traffic 
flows that should receive separate SAs, e.g., for security reasons or 
for QoS reasons. For this reason I feel that this is an important 
requirement.

>4.2.B) How often will usage scenarios of SOI need to generate multiple
>SA's between a single pair of entites?
>
>Implications from the Scenarios:
>
>VPN: <<<The cost of authentication must also be factored into the
>total cost; this will be different for different mechanisms, which
>results in a decision of scalability -vs- processing overhead. In
>certain cases, it may be desirable to amortize the cost of the key
>management across multiple tunnels.>>> [[[4.2]]]

good example.

>VPN, End-to-END, SRA : <<<QoS increases the probability of multiple
>tunnels between a pair of SGWs. Also, negotiation of IPsec tunnels
>needs to accommodate QoS information, predominantly in the set of
>selectors used to identify the contents of any particular IPsec
>tunnel.>>> [[[4.2]]]

another good example.


Steve