[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
> 1. My understanding is that an IPSec *tunnel* is made up of two
> (undirectional) IPSec SAs. Am I correct? (there seems some ambiguity on
> this point especially in some IPSec related books).
This seems to be semi-common usage but strikes me as sloppy.
IPsec SA's are unidirectional; each direction requires one or more
SA's to protect it.
The way I look at it:
- A tunnel is an artifact of policy.
- SA's should have a limited lifetime (for numerous cryptographic
reasons) and therefore should be thought of as ephemeral,
- the policy which caused the SA's to be created is persistant.
SA's can also directly protect application traffic without the
introduction of a new IP header (transport mode).
> 2. I know that in IKEv1 is not possible to negotiate IPSec SAs with
> identical traffic selectors, but in IKEv2 I see that it is possible. So, if
> I understand this correctly you could therefore have more that one tunnel
> (pair of unidrectional IPSec SAs) between two peers in an IPSec VPN (one
> tunnel for each seperate QoS [to prevent possible replay protection traffic
> drops], for example). Is this correct?
Under 2401bis, the sender may have more than SA's to choose from; this
may be presented in administrative interfaces as as multiple tunnels
or as single tunnel.
> 3. Obviously authentication can be provided by both AH and ESP. I notice
> that on some vendors' equipment it is possible to configure *both* AH and
> ESP auth for a single (pair of) IPSec SAs (1 ipsec tunnel). I have 2
> questions about this:
>
> a. this seems to permissable in the IPSec RFCs/drafts that I have read. Am I
> correct?
Yes.
> b. BUT, there seems absolutely no *practical* point in having both AH and
> ESP auth for 1 IPSec tunnel. Am I correct on this point?
Yes. It's pointless in practice, and leads to needless confusion.
- Bill
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec