[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: about SPD



>     This question may be implementation specific; answer if it 
> have significance.
>   Most implementation have SPD entry like; for given selectors 
> protect traffic by AH in transport mode and so on. Why this(how to 
> protect) should be part of SPD. 

SPD defines the policy; SA defines the mechanism.

the SPD is long-lived; SA's are ephemeral -- created on demand,
expire, are rekeyed, ...

Different protocols, algorithms, and modes provide different
protection (otherwise we could just use one algorithm and one mode);
they are not always considered interchangable.  (for instance, key
lengths and perceived strength will differ from algorithm to
algorithm).

When dynamic key management is in use, the SPD tells key management
what algorithms, modes, and protocols are acceptable; SA's are then
created on demand as needed.