Why are IPsec SAs unidirectional

Bart Hermans bart.hermans at os3.nl
Sat Feb 15 18:17:00 UTC 2020


Recently I did a dive into IPsec and the related RFCs describing the
techniques used to setup a site-to-site tunnel. The RFCs I've been
reading are quite clear. However, there's one thing I can't seem to put
my finger on. From what I know is that the phase 1 ISAKMP Security
Association (SA) is unidirectional. This tunnel is then used to setup
two unidirectional tunnels (https://tools.ietf.org/html/rfc4301 Section
4.1.).

Does someone know why these IPsec SAs are unidirectional? Usually the
RFC describes some reasoning behind certain design decisions. However, I
can't seem to find a justification other than "It's by design". On the
Internet however, I read that the two SA requirement is chosen from a
security perspective; If the key material of one of the SAs leaks, only
one way of the traffic can be inspected by a third party. The problem
with this reasoning is that I can't seem to find an additional source
claiming the same thing. Therefore, I'm not sure whether it's true.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200215/062f6320/attachment.sig>


More information about the NANOG mailing list