In Security Association, I understand that after AUTH exchange a child SA will be created.But what is the need to create multiple child SA's and what is the difference between an IKE_SA and CHILD_SA ?
Asked
Active
Viewed 2,332 times
1 Answers
3
1/ Multiple child SAs
Although having single child SA seems to be sufficient there are cases where you really need multiple child SAs:
rekeying -- the process of rekeing is defined as establishing a new SA and then closing the old SA. There is a time period when both old and new SAs are valid.
different SAs for different traffic -- under some setups you might need to have a different level of protection for different services (e.g. AH for some unimportant traffic and ESP with strong parameters for the confidential one)
2/ IKE_SA vs CHILD_SA difference
- IKE_SA is the SA which protects the IKE traffic
- CHILD_SA is the SA which protects non-IKE traffic
Hope this helps a bit!
Disclaimer: It has been some time since I was dealing with this, so please do validate my thoughts
vlp
- 7,811
- 2
- 23
- 51