Question about SAs and draft-ietf-ipsec-isakmp-oakley-06

[Will Fiveash <will@austin.ibm.com>]

Can someone clear up some confusion I have?  In the
draft-ietf-ipsec-isakmp-oakley-06.txt (section 5.5) I see:

   "A single SA negotiation results in two security assocations-- one
   inbound and one outbound. Different SPIs for each SA (one chosen by
   the initiator, the other by the responder) guarantee a different key
   for each direction.  The SPI chosen by the destination of the SA is
   used to derive KEYMAT for that SA."

In draft-ietf-ipsec-arch-sec-03.txt (section 4.1) I see:

   "A Security Association (SA) is a simplex "connection" that affords
   security services to the traffic carried by it.  Security services
   are afforded to an SA by the use of AH, or ESP, but not both.  If
   both AH and ESP protection is applied to a traffic stream, then two
   (or more) SAs are created to afford protection to the traffic stream.
   To secure typical, bi-directional communication between two hosts, or
   between two security gateways, two Security Associations (one in each
   direction) are required."

Now a single ISAKMP Phase 2 SA negotiation can contain a proposal that
specifies both AH and ESP protocols.  So shouldn't a single Phase 2 SA
negotiation result in four SAs (SA-AH-In, SA-AH-Out, SA-ESP-In, SA-ESP-Out)
not two as stated in draft-ietf-ipsec-isakmp-oakley-06.txt?

-- 
Will Fiveash    
IBM AIX System Development        Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551   Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493  Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904