Steve, Thanks for the clarification. So, at the end of the initial IKE_AUTH exchange, there will (typically) be a pair of CHILD SAs created, one in each direction, is this correct? That is, you never create a single SA by IKE_AUTH or CREATE_CHILD_SA, and create another SA in the other direction by a subsequent CREATE_CHILD_SA?
This is really ambiguous in RFC 4306 (at least to me) and would be great if it can be clarified in the revised version. Thanks, Emre ________________________________ From: Stephen Kent [mailto:k...@bbn.com] Sent: Sunday, May 24, 2009 9:38 PM To: Gunduzhan, Emre Cc: ipsec@ietf.org Subject: Re: [IPsec] Inconsistent usage of SA At 10:11 AM -0400 5/22/09, Gunduzhan, Emre wrote: Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_068F06DC4D106941B297C0C5F9F446EA3CB241D203aplesstripedo_" Greetings, I am new to this group, so I hope I am not raising an issue which was addressed earlier. I was reading draft-ietf-ipsecme-ikev2bis, and I came across some inconsistent terminology which I believe also exists in RFC 4306. RFC 4301 defines a SA as a simplex "connection", and states that (section 4.1): "To secure typical, bi-directional communication between two IPsec-enabled systems, a pair of SAs (one in each direction) is required. IKE explicitly creates SA pairs in recognition of this common usage requirement." However in an example scenario in section 2.9.1 of draft-ietf-ipsecme-ikev2bis, it seems that an SA can be used to carry traffic in both directions: " Suppose that host A has a policy whose effect is that traffic to 192.0.1.66 is sent via host B encrypted using AES, and traffic to all other hosts in 192.0.1.0/24 is also sent via B, but must use 3DES. Suppose also that host B accepts any combination of AES and 3DES. 4301 is correct. Sometimes folks refer to the pair of SAs that IKE always creates as an SA, but that is not the correct terminology. Steve
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
