[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth

To: "Bob Arthurs" <bob_arthurs@hotmail.com>
Subject: Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 11 Jun 2004 13:18:36 -0400
Cc: ipsec@ietf.org
In-reply-to: Message from "Bob Arthurs" <bob_arthurs@hotmail.com> of "Fri,11 Jun 2004 09:13:37 -0000." <BAY8-F35Ogvem07FaE600024587@hotmail.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <BAY8-F35Ogvem07FaE600024587@hotmail.com>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bob" == Bob Arthurs <bob_arthurs@hotmail.com> writes:
    Bob> 1. My understanding is that an IPSec *tunnel* is made up of two
    Bob> (undirectional) IPSec SAs. Am I correct?  (there seems some
    Bob> ambiguity on this point especially in some IPSec related
    Bob> books).

  I don't think many of us call that thing a "tunnel". Tunnel is a
superset of a pair of unidirectional IPsec SAs. (Transport mode is similar)

    Bob> 2. I know that in IKEv1 is not possible to negotiate IPSec SAs
    Bob> with identical traffic selectors, but in IKEv2 I see that it is
    Bob> possible. So, if I understand this correctly you could
    Bob> therefore have more that one tunnel (pair of unidrectional
    Bob> IPSec SAs) between two peers in an IPSec VPN (one tunnel for
    Bob> each seperate QoS [to prevent possible replay protection
    Bob> traffic drops], for example). Is this correct?

  Yes. QoS is one of many reasons to do this.

    Bob> 3. Obviously authentication can be provided by both AH and
    Bob> ESP. I notice that on some vendors' equipment it is possible to
    Bob> configure *both* AH and ESP auth for a single (pair of) IPSec
    Bob> SAs (1 ipsec tunnel). I have 2 questions about this:

    Bob> a. this seems to permissable in the IPSec RFCs/drafts that I
    Bob> have read. Am I correct?

  Yes, but generally not sensible unless the end-points of the two SAs
are different.

    Bob> b. BUT, there seems absolutely no *practical* point in having
    Bob> both AH and ESP auth for 1 IPSec tunnel. Am I correct on this
    Bob> point?

  Given identical end-points, it would be silly, yes.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQMnpaYqHRg3pndX9AQGgxgP/fgwQDvVFJlLZuAGcUFjpdtyebnmgtCI8
2euDOBaNCm4+51GRbz+8P7L58w1anbEpmY5XEGcD2N7gy9yxcKA7zvCOOMQwSSMf
0A9aM23zMbMDec9+Cu3yETWA5ZJinjeoLC3wPNkiVM46jxCAd0Vze+lCQ+Igkj/B
Nf3r4nZ5RyU=
=tT50
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
  - From: "Bob Arthurs" <bob_arthurs@hotmail.com>

Prev by Date: Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
Next by Date: Re: [Ipsec] OT: cryptographic parameters - performance data
Previous by thread: Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
Next by thread: [Ipsec] OT: cryptographic parameters - performance data
Index(es):
- Date
- Thread