Hi Emre,
On Tue, May 26, 2009 at 6:38 PM, Gunduzhan, Emre <emre.gunduz...@jhuapl.edu>wrote: > Steve, > > Thanks for the clarification. So, at the end of the initial IKE_AUTH > exchange, there will (typically) be a pair of CHILD SAs created, one in each > direction, is this correct? > Yes. > That is, you never create a single SA by IKE_AUTH or CREATE_CHILD_SA, and > create another SA in the other direction by a subsequent CREATE_CHILD_SA? > We create a pair of SA, one for inbound and one for outbound traffic. These SAs will be uniquely identified on the peer by inside SPI and outside SPI. The inside SPI on one peer will the outside SPI on other peer and vice versa. Yes, we create a pair of SA using CREATE_CHILD_SA. Also, CREATE_CHILD_SA is used for REKEY of IKE SA, only in that case CREATE_CHILD_SA will create single SA. > > This is really ambiguous in RFC 4306 (at least to me) and would be great if > it can be clarified in the revised version. > > Thanks, > Emre > Thanks, Raj > > > ------------------------------ > > > *From:* Stephen Kent [mailto:k...@bbn.com] > *Sent:* Sunday, May 24, 2009 9:38 PM > *To:* Gunduzhan, Emre > *Cc:* ipsec@ietf.org > *Subject:* Re: [IPsec] Inconsistent usage of SA > > At 10:11 AM -0400 5/22/09, Gunduzhan, Emre wrote: > > Content-Language: en-US > Content-Type: multipart/alternative; > boundary="_000_068F06DC4D106941B297C0C5F9F446EA3CB241D203apless > tripedo_" > > Greetings, > > > > I am new to this group, so I hope I am not raising an issue which was > addressed earlier. I was reading draft-ietf-ipsecme-ikev2bis, and I came > across some inconsistent terminology which I believe also exists in RFC > 4306. > > > > RFC 4301 defines a SA as a simplex "connection", and states that (section > 4.1): > > "To secure typical, bi-directional communication between two IPsec-enabled > systems, a pair of SAs (one in each direction) is required. IKE explicitly > creates SA pairs in recognition of this common usage requirement." > > > > However in an example scenario in section 2.9.1 > of draft-ietf-ipsecme-ikev2bis, it seems that an SA can be used to carry > traffic in both directions: > > " Suppose that host A has a policy whose effect is that traffic to > 192.0.1.66 is sent via host B encrypted using AES, and traffic to all other > hosts in 192.0.1.0/24 is also sent via B, but must use 3DES. Suppose also > that host B accepts any combination of AES and 3DES. > > > 4301 is correct. Sometimes folks refer to the pair of SAs that IKE always > creates as an SA, but that is not the correct terminology. > > Steve > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
