RE: Security Use Requirements

["Bernard Aboba" <aboba@internaut.com>]

>No the initiator port is different (the TCP connections are disjoint).

That is a good thing because it means that you can distinguish between
the IPSEC QM SAs. 

>However this brings with it another issue. Separate connections (even
>within the same session) can have different security - and this is not a
>useless feature e.g., a private link with a backup public link.
>In other environments you have links with similar needs.   Does  IPSec
>provide a replication mechanism for security contexts?

It is possible to open multiple IKE QM SAs between the target and
the initiator. For example, you could decide that the backup public
link requires ESP 3DES while the private link can live with AH. 
As long as the connections are distinct (e.g. different initiator
port) then the target and initiator can figure out which QM SA 
corresponds to which traffic, and everything will be fine. 

It is also possible to negotiate multiple IKE MM SAs between
two nodes, although this is rarely done. This might be useful if
the initiator wants to use a different certificate for 
authentication than in a previous IKE MM SA. For example, the
set of trusted roots might need to be different, etc. 
Again, as long as IKE QM SAs derived from that MM SA are
distinguishable from other QM SAs derived from other MM SAs,
everything will work fine.