Why are then two (or more) SAs are created If both AH and ESP protection is applied to a traffic stream?

Asked Aug 02 '16 at 02:00

Active Aug 02 '16 at 02:07

Viewed 120 times

A Security Association (SA) is a simplex "connection" that affords
security services to the traffic carried by it. Security services
are afforded to an SA by the use of AH, or ESP, but not both. If
both AH and ESP protection is applied to a traffic stream, then two
(or more) SAs are created to afford protection to the traffic stream.

https://www.rfc-editor.org/rfc/rfc2401

Question 1 : Why are two or more SAs created instead of one when both AH and ESP are used?

Question 2: Why would it be bad to use both AH and ESP for one Security Association?

edited Oct 07 '21 at 07:34

Community

asked Aug 02 '16 at 02:00

Edlen

2

ESP provides everything AH does, plus more (confidentiality). I do not see why you would use both and I'd be surprised to see if software actually allowed it. – André Borie Aug 02 '16 at 02:20
The RFC does not tell this is bad, the RFC explains how it works and simply say that SA have been designed as simplex and what this imply. IPSec could have been designed a different way, but this is way it has been. For more information about SA, please check what is a security association and how does it relate to ipsec? – WhiteWinterWolf Oct 05 '16 at 08:52

Why are then two (or more) SAs are created If both AH and ESP protection is applied to a traffic stream?

0 Answers0