Hi Emre, IKE SA is bi-directional i.e. one SA is used in both directions, initiator to responder and responder to initiator. CHILD_SAs i.e. IPsec SAs (AH, ESP) are uni-directional, one in each direction. So we 2 IPsec SAs per connection.
Thanks, Raj On Fri, May 22, 2009 at 7:41 PM, Gunduzhan, Emre <emre.gunduz...@jhuapl.edu>wrote: > Greetings, > > I am new to this group, so I hope I am not raising an issue which was > addressed earlier. I was reading draft-ietf-ipsecme-ikev2bis, and I came > across some inconsistent terminology which I believe also exists in RFC > 4306. > > RFC 4301 defines a SA as a simplex "connection", and states that (section > 4.1): > "To secure typical, bi-directional communication between two IPsec-enabled > systems, a pair of SAs (one in each direction) is required. IKE explicitly > creates SA pairs in recognition of this common usage requirement." > > However in an example scenario in section 2.9.1 of > draft-ietf-ipsecme-ikev2bis, > it seems that an SA can be used to carry traffic in both directions: > " Suppose that host A has a policy whose effect is that traffic to > 192.0.1.66 is sent via host B encrypted using AES, and traffic to all other > hosts in 192.0.1.0/24 is also sent via B, but must use 3DES. Suppose also > that host B accepts any combination of AES and 3DES. > > If host A now proposes an SA that uses 3DES, and includes TSr containing > (192.0.1.0-192.0.1.255), this will be accepted by host B. Now, host B can > also use this SA to send traffic from 192.0.1.66, but those packets will be > dropped by A since it requires the use of AES for those traffic. Even if > host A creates a new SA only for 192.0.1.66 that uses AES, host B may freely > continue to use the first SA for the traffic. In this situation, when > proposing the SA, host A should have followed its own policy, and included a > TSr containing ((192.0.1.0-192.0.1.65),(192.0.1.67-192.0.1.255)) instead." > > Because of the same issue, when RFC 4306 or draft-ietf-ipsecme-ikev2bis > talks about creating an IKE SA, this would imply that the IKE SA would be a > simplex "connection". Similarly, it is not clear from RFC 4306 or > draft-ietf-ipsecme-ikev2bis whether a CREATE_CHILD_SA exchange (or, the > initial IKE_AUTH exchange) creates a single SA, i.e. a simplex "connection", > or a pair of SAs. > > Can someone please clarify which usage is correct? Would the workgroup > consider resolving this ambiguity in the revision to IKEv2? > > Thanks and best regards, > Emre > > -- > Emre Gunduzhan, Ph.D > The Johns Hopkins University Applied Physics Laboratory > Applied Information Sciences Department > Communication and Networking Systems Group (VCS) > > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
