Dharmanandana, 1. SA bundle is the ordered list of SAs. For SA cluster, it contains a set of SA. Which SA is used for traffic protection is purely implementation dependent. The SA cluster means only one SA is used while SA bundle means all SAs are used. Single SA can be viewed as cluster SA with only one sub-SA.
In your example, your understanding is correct. Either SA can be used, but not necessarily both. 2. If IPsec supports SA cluster, IKE should be extended to support SA negotiation. We can work out the details if SA cluster can be supported. IKE extension will solve the interoperability problem. 3. That is true. It implies different paths. Different paths may use the same or different routes. But the different paths have used different SA to protect it. Thanks, Victor From: dharmanandana pothulam Sent: Thursday, April 05, 2012 9:18 AM To: Xiangyang zhang Cc: ipsec@ietf.org Subject: [IPSec]: Multiple path IP Security for draft-zhang-ipsecme-multi-path-ipsec-00 Hi Zhang, I am confused about the statement in your draft "Unlike SA bundle, one IP packet is still protected by one single SA instead of nested SAs". Does single SA means cluster SA? Or sub-SA? If it is cluster SA, what exactly it meant from SAD point of view? For example, Let us consider the following header, the host is tunneling a packet to the gateway using ESP but is authenticating to the end host B. How do we address this using your proposed solution SA clustering? If multiple packets goes through two different sub-SA's. here my understanding is two different sub-SA's means two separate SA's are ESP SA and AH SA. Does this mean packet go through either ESP SA or AH SA? Please correct me , if I misunderstood. [Bb726946.f4_14(en-us,TechNet.10).gif]<http://technet.microsoft.com/en-us/library/Bb726946.f4_14_big(l=en-us).gif> Second point, About SA cluster feature support, Does both parties need to exchange vendor ID to express support and use of SA cluster feature? It would be better to address this in draft including proposed vendor id values, if vendor id used in IKE negotiation. Third point, about name of the draft, I feel multiple path sounds like multiple routes, it does not implies multiple SA's. Regards, Dharmanandana Reddy Pothula. This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
<<inline: image001.gif>>
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec