[Ipsec] Re: Is AH + ESP required or needed in IKEv2

[Stephen Kent <kent@bbn.com>]

At 1:55 PM +0300 8/25/04, Tero Kivinen wrote:
>The current IKEv2 draft still has this feature that we can negotiate
>two protocols at the same time, i.e we can negotiate AH with SHA-1 and
>ESP with AES using one IKE exchange (between same endpoints, i.e
>traffic selectors are proto=any, IPi=A, IPr=B).
>
>For my understanding the RFC2401bis does not require this feature
>anymore, but it assumes that such constructs are negotiated so that we
>first negotiate the AH with SHA-1 where its traffic selectors are set
>to proto=ESP, IPi=A, IPr=B and then we do second IKE exchange and
>negotiate ESP SA between the nodes having traffic selectors proto=ANY,
>IPi=A, IPr=B.
>
>Is my understanding correct?
>
>So this means that all IKE security association payloads always have
>list of proposals which all only have one protocol inside.
>--
>kivinen@safenet-inc.com

We had anticipated that 2401bis would have a single SPD entry that 
resulted in combined AH+ESP, nor would we require support for this 
sort of nesting, except via appropriate configuration of the SPD and 
forwarding tables.

However, we were reminded that IKEv2 still supported the negotiaion 
of both protocols at once, so I think the current version of 2401bis 
still allows it, and there is some mention of this as a special case. 
But I'd be happy to remove this "feature" to make life simpler and 
cleaner.

Steve

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec