[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] OT: Basic questions on IPSec SAs/tunnel/ESP & AH auth
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bob" == Bob Arthurs <bob_arthurs@hotmail.com> writes:
Bob> 1. My understanding is that an IPSec *tunnel* is made up of two
Bob> (undirectional) IPSec SAs. Am I correct? (there seems some
Bob> ambiguity on this point especially in some IPSec related
Bob> books).
I don't think many of us call that thing a "tunnel". Tunnel is a
superset of a pair of unidirectional IPsec SAs. (Transport mode is similar)
Bob> 2. I know that in IKEv1 is not possible to negotiate IPSec SAs
Bob> with identical traffic selectors, but in IKEv2 I see that it is
Bob> possible. So, if I understand this correctly you could
Bob> therefore have more that one tunnel (pair of unidrectional
Bob> IPSec SAs) between two peers in an IPSec VPN (one tunnel for
Bob> each seperate QoS [to prevent possible replay protection
Bob> traffic drops], for example). Is this correct?
Yes. QoS is one of many reasons to do this.
Bob> 3. Obviously authentication can be provided by both AH and
Bob> ESP. I notice that on some vendors' equipment it is possible to
Bob> configure *both* AH and ESP auth for a single (pair of) IPSec
Bob> SAs (1 ipsec tunnel). I have 2 questions about this:
Bob> a. this seems to permissable in the IPSec RFCs/drafts that I
Bob> have read. Am I correct?
Yes, but generally not sensible unless the end-points of the two SAs
are different.
Bob> b. BUT, there seems absolutely no *practical* point in having
Bob> both AH and ESP auth for 1 IPSec tunnel. Am I correct on this
Bob> point?
Given identical end-points, it would be silly, yes.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQMnpaYqHRg3pndX9AQGgxgP/fgwQDvVFJlLZuAGcUFjpdtyebnmgtCI8
2euDOBaNCm4+51GRbz+8P7L58w1anbEpmY5XEGcD2N7gy9yxcKA7zvCOOMQwSSMf
0A9aM23zMbMDec9+Cu3yETWA5ZJinjeoLC3wPNkiVM46jxCAd0Vze+lCQ+Igkj/B
Nf3r4nZ5RyU=
=tT50
-----END PGP SIGNATURE-----
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec