Re: IPsec issue #46 -- No need for nested SAs or SA bundles

[Stephen Kent <kent@bbn.com>]

At 0:40 +0300 9/3/03, Markku Savela wrote:
>Just a note: my implementation can do nested SA's, assuming you mean
>situation where you have an internal node "Another" that wants IPSEC,
>but which happens to be behind a security gateway SG:
>
>               SA1
>MyNode  <---------------> SG
>         <----------------------------------------> Another
>               SA2
>
>MyNode has nested SA2's, but both SG and Another would not see nested
>SA's.

If I understand your diagram, the MyNode component is the only one 
that would see these as nested SAs. Presumably SA1 is a tunnel mode 
SA to SG and SA2 is a tunnel or transport SA to Another. is that 
right?

How did you express the policy that SA2 had to be an SA nested inside 
of SA1, and thus that SA1 must be created first, etc.?

Steve