[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] IKEv2: 1 child IPsec SA ? (stupid question!)



The create-child-sa exchange creates a pair of IPSec SAs, one in each 
direction.  Since in IKE we always create IPSec SAs in pairs, we 
sometimes mistakenly refer to them in singular form.  In the quote 
below, I think that "CHILD_SA" refers to the exchange rather than to 
the actual SAs.

On 30/06/2004, at 20:25, Bob Arthurs wrote:

> Hi all,
>
> Just researching IKEv2 (draft-ietf-ipsec-ikev2-14), and I noticed the 
> reference to a single IPsec SA being created during the initial 4 
> message negotiation (ike_sa_init & ike_auth). For example, I noticed 
> the following reference:
>
> 'In some scenarios, only a single CHILD_SA is needed between the IPsec 
> endpoints and therefore there would be no additional exchanges.'
>
> I know this is a stupid question, but knowing that IPsec SAs are 
> unidirectional, can someone confirm that the initial 4 message IKE 
> negotiation results in a single IPsec SA *in each direction* (giving a 
> total of 2 IPsec SAs) ??
>
> Many thanks in advance
>
> _________________________________________________________________
> Want to block unwanted pop-ups? Download the free MSN Toolbar now!  
> http://toolbar.msn.co.uk/
>
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
>


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec