[Ipsec] Is AH + ESP required or needed in IKEv2

[Tero Kivinen <kivinen@iki.fi>]

The current IKEv2 draft still has this feature that we can negotiate
two protocols at the same time, i.e we can negotiate AH with SHA-1 and
ESP with AES using one IKE exchange (between same endpoints, i.e
traffic selectors are proto=any, IPi=A, IPr=B).

For my understanding the RFC2401bis does not require this feature
anymore, but it assumes that such constructs are negotiated so that we
first negotiate the AH with SHA-1 where its traffic selectors are set
to proto=ESP, IPi=A, IPr=B and then we do second IKE exchange and
negotiate ESP SA between the nodes having traffic selectors proto=ANY,
IPi=A, IPr=B.

Is my understanding correct?

So this means that all IKE security association payloads always have
list of proposals which all only have one protocol inside.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec