[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth

To: "Bob Arthurs" <bob_arthurs@hotmail.com>
Subject: Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Fri, 11 Jun 2004 11:37:24 -0400
Cc: ipsec@ietf.org
In-reply-to: Your message of "Fri, 11 Jun 2004 09:13:37 -0000."<BAY8-F35Ogvem07FaE600024587@hotmail.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Reply-to: sommerfeld@east.sun.com
Sender: ipsec-bounces@ietf.org

> 1. My understanding is that an IPSec *tunnel* is made up of two 
> (undirectional) IPSec SAs. Am I correct?  (there seems some ambiguity on 
> this point especially in some IPSec related books).

This seems to be semi-common usage but strikes me as sloppy.

IPsec SA's are unidirectional; each direction requires one or more
SA's to protect it.

The way I look at it:

 - A tunnel is an artifact of policy.

 - SA's should have a limited lifetime (for numerous cryptographic
   reasons) and therefore should be thought of as ephemeral, 

 - the policy which caused the SA's to be created is persistant.

SA's can also directly protect application traffic without the
introduction of a new IP header (transport mode).

> 2. I know that in IKEv1 is not possible to negotiate IPSec SAs with 
> identical traffic selectors, but in IKEv2 I see that it is possible. So, if 
> I understand this correctly you could therefore have more that one tunnel 
> (pair of unidrectional IPSec SAs) between two peers in an IPSec VPN (one 
> tunnel for each seperate QoS [to prevent possible replay protection traffic 
> drops], for example). Is this correct?

Under 2401bis, the sender may have more than SA's to choose from; this
may be presented in administrative interfaces as as multiple tunnels
or as single tunnel.

> 3. Obviously authentication can be provided by both AH and ESP. I notice 
> that on some vendors' equipment it is possible to configure *both* AH and 
> ESP auth for a single (pair of) IPSec SAs (1 ipsec tunnel). I have 2 
> questions about this:
> 
> a. this seems to permissable in the IPSec RFCs/drafts that I have read. Am I 
> correct?

Yes.

> b. BUT, there seems absolutely no *practical* point in having both AH and 
> ESP auth for 1 IPSec tunnel. Am I correct on this point?

Yes.  It's pointless in practice, and leads to needless confusion.

						- Bill

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
  - From: "Bob Arthurs" <bob_arthurs@hotmail.com>

Prev by Date: Re: [Ipsec] OT: cryptographic parameters - performance data
Next by Date: Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
Previous by thread: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
Next by thread: Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
Index(es):
- Date
- Thread