nanog mailing list archives
Why are IPsec SAs unidirectional
From: Bart Hermans <bart.hermans () os3 nl>
Date: Sat, 15 Feb 2020 19:17:00 +0100
Recently I did a dive into IPsec and the related RFCs describing the techniques used to setup a site-to-site tunnel. The RFCs I've been reading are quite clear. However, there's one thing I can't seem to put my finger on. From what I know is that the phase 1 ISAKMP Security Association (SA) is unidirectional. This tunnel is then used to setup two unidirectional tunnels (https://tools.ietf.org/html/rfc4301 Section 4.1.). Does someone know why these IPsec SAs are unidirectional? Usually the RFC describes some reasoning behind certain design decisions. However, I can't seem to find a justification other than "It's by design". On the Internet however, I read that the two SA requirement is chosen from a security perspective; If the key material of one of the SAs leaks, only one way of the traffic can be inspected by a third party. The problem with this reasoning is that I can't seem to find an additional source claiming the same thing. Therefore, I'm not sure whether it's true.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Why are IPsec SAs unidirectional Bart Hermans (Feb 16)
- Re: Why are IPsec SAs unidirectional Crist Clark (Feb 16)
- Re: Why are IPsec SAs unidirectional Brandon Martin (Feb 16)
- Re: Why are IPsec SAs unidirectional Amir Herzberg (Feb 16)