[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities

To: ipsec@lists.tislabs.com
Subject: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
Date: Wed, 3 Jul 2002 16:11:12 +0200 (MET DST)
In-Reply-To: <E17Mqbt-0004g1-00@think.thunk.org>
Organization: =?UTF-8?B?RA==?=
References: <E17Mqbt-0004g1-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

> 4.2 Creating multiple SAs for a single pair of entities
> 
> 4.2.A) How important is it that SOI be able to create multiple SA's
> between a pair of entities "cheaply"?

QoS may require several SAs between a pair of entities. This would lead
to a great usr of SA, most of which would be set up as a bundle by softwares,
that is, as an instance, when the OS boots or when the PPP link is up, etc.
Initiation of several phase 1 is out of question. Multiple phase 2
exponentiations will be expensive. Thus a cheap way for building multiple SAs
is desirable.

Anyway, if this feature is available, we can be sure it will be used.

> 4.2.B) How often will usage scenarios of SOI need to generate multiple
> SA's between a single pair of entites?

It is difficult to know at the moment.

Secure Remote Access scenarios will have to play it often.

VPNs gateways could do it on reboot, but they are more likely to follow the
classical 'expensive' way.

End To End may have often/sometimes a need for it also. Endpoints tend to
switch on and off all the time, and it may be usefull to set up multiple SAs
quickly, ex for a soft which does visio and file transfert and will need 
differents crypto parameters for each. Many applications need multiple
channels for differents purposes, cheap SAs building should be relevant for
them.

> Implications from the Scenarios:
> 
> VPN: <<<The cost of authentication must also be factored into the
> total cost; this will be different for different mechanisms, which
> results in a decision of scalability -vs- processing overhead. In
> certain cases, it may be desirable to amortize the cost of the key
> management across multiple tunnels.>>> [[[4.2]]]
> 
> VPN, End-to-END, SRA : <<<QoS increases the probability of multiple
> tunnels between a pair of SGWs. Also, negotiation of IPsec tunnels
> needs to accommodate QoS information, predominantly in the set of
> selectors used to identify the contents of any particular IPsec
> tunnel.>>> [[[4.2]]]
> 
> SRA: <<<While this does not mandate user authentication to happen
> within the SOI exchange, it's strongly encouraged that the protocol
> directly or indirectly associate a single user authentication exchange
> with a group of IPsec tunnels between a client and an RAS.>>>
> [[[4.2]]]
> 
> SRA: <<<For example, this may mean that SOI will need to allow for the
> client to present its identity (or some "blob of bits" that the server
> can correctly map to an identity) early in the exchange.>>> [[[4.2]]]
> 

--
Jean-Jacques Puig

Prev by Date: Re: SOI QUESTION: 4.1 Control channel vs. separate protocols
Next by Date: Re: I-D ACTION:draft-ietf-ipsec-rfc2402bis-01.txt
Prev by thread: Re: SOI QUESTION: 4.1 Control channel vs. separate protocols
Next by thread: Re: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
Index(es):
- Date
- Thread