On 2/15/20 1:17 PM, Bart Hermans wrote:
Does someone know why these IPsec SAs are unidirectional?
My take on it: * IP, on which IPSec is directly built, is not a bidirectional protocol. It is unidirection and fire-and-forget. There's no assumption made that the source address specified in a given packet is even reachable from the destination address (much to the chagrin of many network operators), though it's supposed to be the case that it is. Making SAs bidirectional would therefore represent something of a layering inversion which the IP suite has been surprisingly careful to avoid. * While many protocols built on top of IP, including ISAKMP are bidirectional, not all are, so having unidirectional SAs is potentially useful especially in the case of e.g. multicast as another poster pointed out. * ISAKMP is not the only way to key IPSec SAs. It's a fairly complex protocol and is separate from the base IPSec specifications. Someone could come up with another, possibly better way to do it. You can also key them manually. Again, projecting the nature of ISAKMP onto IPSec would be a layering violation and might inhibit future use cases of the latter. * An IPSec SA itself is quite simple. Making it unidirectional is in-line with that notion and appears to have few consequences. * An IPSec SPD is also unidirectional (one could argue that this is a mistake, but see all the above), and an SA follows directly from an SPD. -- Brandon Martin