Re: Question on SA Bundle

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: Stephen Kent <kent@bbn.com>

> In general I agree, but if we do that, and if we want to be able to 
> support bundles, then we need to add complexity to IKE to be able to 
> specify how multiple SAs relate to one another. In the general case, 
> that seems to be messy, which is why I believe we probably ought not 
> try to support this going forward, consistent with our overall 
> attempt to simplify IPsec.

It would be GREAT simplification of IPSEC if the key management
negotiated only individual unidirectional SA's by default. No policy
checking for Phase2 SA's. I've repeated this for 4 years now, and been
ignored. Let this be my one yearly reminder of the fact :-)

> Flexibility is good, except to the extent that it introduces 
> complexity. I don't think flexibility is good if it serves primarily 
> to allow non-interoperable implementations to claim conformance with 
> a "flexible" standard. We have to be careful in that regard.

Flexibily can be achieved without complexity. Consider analogy of high
level language and machine code. In my view IPSEC base RFC's should
describe the easy to implement "machine code", consisting of primitive
operations, that are clear and easy to implement. Everything is
already almost there (RFC 2401, PFKEY, ESP/AH). I always liked the
idea of unidirectional SA being a good choice for a primitive
unit.