At 10:11 AM -0400 5/22/09, Gunduzhan, Emre wrote:
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_068F06DC4D106941B297C0C5F9F446EA3CB241D203aplesstripedo_"
Greetings,
I am new to this group, so I hope I am not raising an issue which
was addressed earlier. I was reading draft-ietf-ipsecme-ikev2bis,
and I came across some inconsistent terminology which I believe also
exists in RFC 4306.
RFC 4301 defines a SA as a simplex "connection", and states that
(section 4.1):
"To secure typical, bi-directional communication between two
IPsec-enabled systems, a pair of SAs (one in each direction) is
required. IKE explicitly creates SA pairs in recognition of this
common usage requirement."
However in an example scenario in section 2.9.1
of draft-ietf-ipsecme-ikev2bis, it seems that an SA can be used to
carry traffic in both directions:
" Suppose that host A has a policy whose effect is that traffic to
192.0.1.66 is sent via host B encrypted using AES, and traffic to
all other hosts in 192.0.1.0/24 is also sent via B, but must use
3DES. Suppose also that host B accepts any combination of AES and
3DES.
4301 is correct. Sometimes folks refer to the pair of SAs that IKE
always creates as an SA, but that is not the correct terminology.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
