Re: Why are IPsec SAs unidirectional

[Brandon Martin <lists.nanog () monmotha net>]

On 2/15/20 1:17 PM, Bart Hermans wrote:
> Does someone know why these IPsec SAs are unidirectional?

My take on it:

* IP, on which IPSec is directly built, is not a bidirectional protocol. 
 It is unidirection and fire-and-forget.  There's no assumption made 
that the source address specified in a given packet is even reachable 
from the destination address (much to the chagrin of many network 
operators), though it's supposed to be the case that it is.  Making SAs 
bidirectional would therefore represent something of a layering 
inversion which the IP suite has been surprisingly careful to avoid.

* While many protocols built on top of IP, including ISAKMP are 
bidirectional, not all are, so having unidirectional SAs is potentially 
useful especially in the case of e.g. multicast as another poster 
pointed out.

* ISAKMP is not the only way to key IPSec SAs.  It's a fairly complex 
protocol and is separate from the base IPSec specifications.  Someone 
could come up with another, possibly better way to do it.  You can also 
key them manually.  Again, projecting the nature of ISAKMP onto IPSec 
would be a layering violation and might inhibit future use cases of the 
latter.

* An IPSec SA itself is quite simple.  Making it unidirectional is 
in-line with that notion and appears to have few consequences.

* An IPSec SPD is also unidirectional (one could argue that this is a 
mistake, but see all the above), and an SA follows directly from an SPD.
--
Brandon Martin