Greetings, I am new to this group, so I hope I am not raising an issue which was addressed earlier. I was reading draft-ietf-ipsecme-ikev2bis, and I came across some inconsistent terminology which I believe also exists in RFC 4306.
RFC 4301 defines a SA as a simplex "connection", and states that (section 4.1): "To secure typical, bi-directional communication between two IPsec-enabled systems, a pair of SAs (one in each direction) is required. IKE explicitly creates SA pairs in recognition of this common usage requirement." However in an example scenario in section 2.9.1 of draft-ietf-ipsecme-ikev2bis, it seems that an SA can be used to carry traffic in both directions: " Suppose that host A has a policy whose effect is that traffic to 192.0.1.66 is sent via host B encrypted using AES, and traffic to all other hosts in 192.0.1.0/24 is also sent via B, but must use 3DES. Suppose also that host B accepts any combination of AES and 3DES. If host A now proposes an SA that uses 3DES, and includes TSr containing (192.0.1.0-192.0.1.255), this will be accepted by host B. Now, host B can also use this SA to send traffic from 192.0.1.66, but those packets will be dropped by A since it requires the use of AES for those traffic. Even if host A creates a new SA only for 192.0.1.66 that uses AES, host B may freely continue to use the first SA for the traffic. In this situation, when proposing the SA, host A should have followed its own policy, and included a TSr containing ((192.0.1.0-192.0.1.65),(192.0.1.67-192.0.1.255)) instead." Because of the same issue, when RFC 4306 or draft-ietf-ipsecme-ikev2bis talks about creating an IKE SA, this would imply that the IKE SA would be a simplex "connection". Similarly, it is not clear from RFC 4306 or draft-ietf-ipsecme-ikev2bis whether a CREATE_CHILD_SA exchange (or, the initial IKE_AUTH exchange) creates a single SA, i.e. a simplex "connection", or a pair of SAs. Can someone please clarify which usage is correct? Would the workgroup consider resolving this ambiguity in the revision to IKEv2? Thanks and best regards, Emre -- Emre Gunduzhan, Ph.D The Johns Hopkins University Applied Physics Laboratory Applied Information Sciences Department Communication and Networking Systems Group (VCS)
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
