[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on SA Bundle
At 3:24 PM +0530 4/8/03, Lokesh wrote:
>Hi all,
>I have a question on Ipsec.
>SA's are bundled in SABundle. and there can be multiple SA Bundles
>existing linked together
>in a SPD entry.
>
>1] under what conditions it is decided that a new SA created should
>be bundled in a New SABundle? not in a existing one?
>
>can anyone point me to literature on this or similar issue ? ( that
>is regarding SPD and SA Bundles)
>Thanks
>Lokesh
Lokesh,
When writing 2401 we thought it might be possible to provide the
ability to link together a number of SAs into a bundle, similar to
what you describe in #1 above. However, in reality, IKE v1 was not
able to negotiate a general notion of bundling, specifically a way to
link new SAs to existing SAs. Thus, in practice the only bundles that
occur arise when one negotiates both AH and ESP in a single IKE
negotiaiton.
As we revise 2401, I anticipate clarifying this, and essentially
doing away with the notion of bundles. I have not see a strong need
for them in list discussions, nor does IKE v2 have support for adding
SAs to a bundle.
If folks think this is not the right path for 2401bis, let me know.
Steve