[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair ofentities

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair ofentities
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Tue, 25 Jun 2002 19:13:51 -0700 (PDT)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <p05100304b93e26626cd2@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Ditto. I seem to also remember (not an expert on this by any means)
that IP storage had some requirements that pretty much required
multiple IPsec tunnels, one for each iscsi connection, between iscsi
hosts (or iscsi gateways?). See section 4.4.1.1 in cheryl's document.

Also, section 4.5.1  PE-to-PE IPsec is in the fore-front of my mind,
but is essentially the 'multiple tunnels between SGW's' scenario
restated.

jan


On Tue, 25 Jun 2002, Stephen Kent wrote:

> At 9:43 AM -0400 6/25/02, Theodore Ts'o wrote:
> >Please discuss and answer this question:
> >
> >
> >4.2 Creating multiple SAs for a single pair of entities
> >
> >4.2.A) How important is it that SOI be able to create multiple SA's
> >between a pair of entities "cheaply"?
>
> If the cost of creating multiple SAs between two entities is too
> high, it will discourage use of separate keys for distinct traffic
> flows that should receive separate SAs, e.g., for security reasons or
> for QoS reasons. For this reason I feel that this is an important
> requirement.
>
> >4.2.B) How often will usage scenarios of SOI need to generate multiple
> >SA's between a single pair of entites?
> >
> >Implications from the Scenarios:
> >
> >VPN: <<<The cost of authentication must also be factored into the
> >total cost; this will be different for different mechanisms, which
> >results in a decision of scalability -vs- processing overhead. In
> >certain cases, it may be desirable to amortize the cost of the key
> >management across multiple tunnels.>>> [[[4.2]]]
>
> good example.
>
> >VPN, End-to-END, SRA : <<<QoS increases the probability of multiple
> >tunnels between a pair of SGWs. Also, negotiation of IPsec tunnels
> >needs to accommodate QoS information, predominantly in the set of
> >selectors used to identify the contents of any particular IPsec
> >tunnel.>>> [[[4.2]]]
>
> another good example.
>
>
> Steve
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe

References:
- Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair ofentities
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SOI QUESTION: 4.1 Control channel vs. separate protocols
Next by Date: RE: SOI QUESTION: 4.3 Dead peer detection
Prev by thread: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair ofentities
Next by thread: RE: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
Index(es):
- Date
- Thread