[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
hi guys,
I am researching IPSec, and on reading many VPN related IPSec
RFCs/drafts/books I have got one or two fairly basic questions (sorry if
this is the wrong list for them).
I'd really appreciate any help on these questions:
1. My understanding is that an IPSec *tunnel* is made up of two
(undirectional) IPSec SAs. Am I correct? (there seems some ambiguity on
this point especially in some IPSec related books).
2. I know that in IKEv1 is not possible to negotiate IPSec SAs with
identical traffic selectors, but in IKEv2 I see that it is possible. So, if
I understand this correctly you could therefore have more that one tunnel
(pair of unidrectional IPSec SAs) between two peers in an IPSec VPN (one
tunnel for each seperate QoS [to prevent possible replay protection traffic
drops], for example). Is this correct?
3. Obviously authentication can be provided by both AH and ESP. I notice
that on some vendors' equipment it is possible to configure *both* AH and
ESP auth for a single (pair of) IPSec SAs (1 ipsec tunnel). I have 2
questions about this:
a. this seems to permissable in the IPSec RFCs/drafts that I have read. Am I
correct?
b. BUT, there seems absolutely no *practical* point in having both AH and
ESP auth for 1 IPSec tunnel. Am I correct on this point?
many thanks in advance for answering my questions!
_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger
http://www.msn.co.uk/messenger
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec