[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-ietf-ipsec-rfc2401bis-00.txt
Stephen Kent writes:
> In Ikev1, you could establish two SAs at once, for the special case
> of AH + ESP. IKEv2 removed this special case feature, so now two SAs
> must be negotiated separately.
IKEv2 did not remove that feature. You can still negotiate AH + ESP
with one CREATE_CHILD_SA exchange. In IKEv2 the SA payload contains
list of Proposal payloads. Each proposal payload contains proposal
number, protocol ID, SPI and list of transforms. If two proposals have
asme proposal number they create the "protocol1 AND protocol2"
proposal, i.e AH and ESP. Transforms consists of transform type and
transform ID (+ possible attributes). Example of transform list is
Encryption algorithm = AES_CBC
Integrity Algorithm = AUTH_HMAC_SHA1_96
I.e the final SA payload is:
SA:
Proposal # 1
Protocol-ID = ESP (1)
SPI-size = 4
# of Transforms = 1
SPI = 0x12345678
Transforms:
Transform Type = Encryption Algorithm (1)
Transform ID = AES_CBC (12)
Proposal # 1
Protocol-ID = AH (2)
SPI-size = 4
# of Transforms = 1
SPI = 0x12345679
Transforms:
Transform Type = Integrity Algorithm (3)
Transform ID = AUTH_HMAC_SHA1_96 (2)
Proposal # 2
Protocol-ID = ESP (1)
SPI-size = 4
# of Transforms = 2
SPI = 0x1234567a
Transforms:
Transform Type = Encryption Algorithm (1)
Transform ID = AES_CBC (12)
Transform Type = Integrity Algorithm (3)
Transform ID = AUTH_HMAC_SHA1_96 (2)
and that proposes either ESP(AES_CBC) AND AH(SHA1) or ESP(AES_CBC with
SHA1).
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/