Why are IPsec SAs unidirectional
Brandon Martin
lists.nanog at monmotha.net
Sun Feb 16 22:30:52 UTC 2020
On 2/15/20 1:17 PM, Bart Hermans wrote:
> Does someone know why these IPsec SAs are unidirectional?
My take on it:
* IP, on which IPSec is directly built, is not a bidirectional protocol.
It is unidirection and fire-and-forget. There's no assumption made
that the source address specified in a given packet is even reachable
from the destination address (much to the chagrin of many network
operators), though it's supposed to be the case that it is. Making SAs
bidirectional would therefore represent something of a layering
inversion which the IP suite has been surprisingly careful to avoid.
* While many protocols built on top of IP, including ISAKMP are
bidirectional, not all are, so having unidirectional SAs is potentially
useful especially in the case of e.g. multicast as another poster
pointed out.
* ISAKMP is not the only way to key IPSec SAs. It's a fairly complex
protocol and is separate from the base IPSec specifications. Someone
could come up with another, possibly better way to do it. You can also
key them manually. Again, projecting the nature of ISAKMP onto IPSec
would be a layering violation and might inhibit future use cases of the
latter.
* An IPSec SA itself is quite simple. Making it unidirectional is
in-line with that notion and appears to have few consequences.
* An IPSec SPD is also unidirectional (one could argue that this is a
mistake, but see all the above), and an SA follows directly from an SPD.
--
Brandon Martin
More information about the NANOG
mailing list