[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Blocks of SPIs

To: ipsec@ans.net
Subject: Blocks of SPIs
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Fri, 8 Sep 95 14:41:24 GMT

One of Ran's suggestions that came up in discussion was allocating
entire blocks of SPIs (and therefore keys) with the same attributes.  It
might permit much faster session-key changes under high bandwidth*delay.

This is very easy in Photuris, since a change in SPI makes a change in
session key.  A list of SPIs will have widely variant keys (assuming the
mixing function of MD5, SHA, etc, works well).

Note that reducing the number of Photuris exchanges reduces the amount
of analysis material available, too.

After thinking, it seems easiest to make this an attribute:
  type, length, #SPIs, time

By default (no attribute), only one SPI would be generated.

Each exchange would allocate some number of SPIs starting with the
current one (say, 1000 is the SPI, then <#SPIs> = 100 would allocate
1000-1099), and the next SPI would be used every <time> milli-seconds.

Also, these SPIs could be used when a large number of sessions are
needed between 2 hosts, to obscure traffic analysis.  The policy
management could choose randomly from the SPI list, obscuring both types
of traffic and number of users.

Any obvious security problems?

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: minor Photuris changes
Next by Date: Re: Blocks of SPIs
Prev by thread: possible AH & IPv4 compromise
Next by thread: Re: Blocks of SPIs
Index(es):
- Main
- Thread