Wednesday, August 5, 2020

In an IPSec tunnel, what is the purpose of having 2 separate secured channels (the ISAKMP SA and the IPSec SA), instead of just 1.

I understand that the ISAKMP SA is used for control traffic, and to setup the subsequent IPSec SA. And that the IPSec SA is used for the actual data transfer from the tunnel end-points. But assuming the initial ISAKMP SA communication channel is already secure, then couldn't it also be used for data traffic as well?

I guess I just don't understand the logic behind using a secure channel to negotiate another secure channel. It seems like both support the same types of encryption as well, so it's not like the ISAKMP SA is weaker from a security perspective, right?.

Is it as simple as more tunnels = more security? Or is it just because that's how they decided to do it?



No comments:

Post a Comment