[Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth

["Bob Arthurs" <bob_arthurs@hotmail.com>]

hi guys,

I am researching IPSec, and on reading many VPN related IPSec 
RFCs/drafts/books I have got one or two fairly basic questions (sorry if 
this is the wrong list for them).

I'd really appreciate any help on these questions:

1. My understanding is that an IPSec *tunnel* is made up of two 
(undirectional) IPSec SAs. Am I correct?  (there seems some ambiguity on 
this point especially in some IPSec related books).

2. I know that in IKEv1 is not possible to negotiate IPSec SAs with 
identical traffic selectors, but in IKEv2 I see that it is possible. So, if 
I understand this correctly you could therefore have more that one tunnel 
(pair of unidrectional IPSec SAs) between two peers in an IPSec VPN (one 
tunnel for each seperate QoS [to prevent possible replay protection traffic 
drops], for example). Is this correct?

3. Obviously authentication can be provided by both AH and ESP. I notice 
that on some vendors' equipment it is possible to configure *both* AH and 
ESP auth for a single (pair of) IPSec SAs (1 ipsec tunnel). I have 2 
questions about this:

a. this seems to permissable in the IPSec RFCs/drafts that I have read. Am I 
correct?

b. BUT, there seems absolutely no *practical* point in having both AH and 
ESP auth for 1 IPSec tunnel. Am I correct on this point?

many thanks in advance for answering my questions!

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec