[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Re: Is AH + ESP required or needed in IKEv2
At 1:55 PM +0300 8/25/04, Tero Kivinen wrote:
>The current IKEv2 draft still has this feature that we can negotiate
>two protocols at the same time, i.e we can negotiate AH with SHA-1 and
>ESP with AES using one IKE exchange (between same endpoints, i.e
>traffic selectors are proto=any, IPi=A, IPr=B).
>
>For my understanding the RFC2401bis does not require this feature
>anymore, but it assumes that such constructs are negotiated so that we
>first negotiate the AH with SHA-1 where its traffic selectors are set
>to proto=ESP, IPi=A, IPr=B and then we do second IKE exchange and
>negotiate ESP SA between the nodes having traffic selectors proto=ANY,
>IPi=A, IPr=B.
>
>Is my understanding correct?
>
>So this means that all IKE security association payloads always have
>list of proposals which all only have one protocol inside.
>--
>kivinen@safenet-inc.com
We had anticipated that 2401bis would have a single SPD entry that
resulted in combined AH+ESP, nor would we require support for this
sort of nesting, except via appropriate configuration of the SPD and
forwarding tables.
However, we were reminded that IKEv2 still supported the negotiaion
of both protocols at once, so I think the current version of 2401bis
still allows it, and there is some mention of this as a special case.
But I'd be happy to remove this "feature" to make life simpler and
cleaner.
Steve
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec