[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities

To: ipsec@lists.tislabs.com
Subject: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
From: Lakshminath Dondeti <ldondeti@nortelnetworks.com>
Date: Tue, 25 Jun 2002 11:35:18 -0400
References: <E17Mqbt-0004g1-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Win95; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2



Theodore Ts'o wrote:

> Please discuss and answer this question:
> 
> 
> 4.2 Creating multiple SAs for a single pair of entities
> 
> 4.2.A) How important is it that SOI be able to create multiple SA's
> between a pair of entities "cheaply"?


Very.  The two applications already pointed out on the list, viz., 
multi-level security (e.g. auth only channel and a separate auth+enc 
channel between the same two sites), and QoS, suggest that amortizing 
the cost of multiple SA establishment is a very important feature.

Multi-channel multicast (for reliability and QoS) is another application 
that comes to mind.

best,
Lakshminath


> 
> 4.2.B) How often will usage scenarios of SOI need to generate multiple
> SA's between a single pair of entites?
> 
> Implications from the Scenarios:
> 
> VPN: <<<The cost of authentication must also be factored into the
> total cost; this will be different for different mechanisms, which
> results in a decision of scalability -vs- processing overhead. In
> certain cases, it may be desirable to amortize the cost of the key
> management across multiple tunnels.>>> [[[4.2]]]
> 
> VPN, End-to-END, SRA : <<<QoS increases the probability of multiple
> tunnels between a pair of SGWs. Also, negotiation of IPsec tunnels
> needs to accommodate QoS information, predominantly in the set of
> selectors used to identify the contents of any particular IPsec
> tunnel.>>> [[[4.2]]]
> 
> SRA: <<<While this does not mandate user authentication to happen
> within the SOI exchange, it's strongly encouraged that the protocol
> directly or indirectly associate a single user authentication exchange
> with a group of IPsec tunnels between a client and an RAS.>>>
> [[[4.2]]]
> 
> SRA: <<<For example, this may mean that SOI will need to allow for the
> client to present its identity (or some "blob of bits" that the server
> can correctly map to an identity) early in the exchange.>>> [[[4.2]]]
> 
>

References:
- SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
Next by Date: RE: SOI QUESTIONS: 2.6 Formal proofs of security
Prev by thread: RE: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
Next by thread: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
Index(es):
- Date
- Thread