[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SPIs, etc.
Folks,
My vague recollection of the NRL implementation is that it might NOT
support having the same SPI for an AH session as for an ESP session
for a given destination address. I don't currently have access to the
sources and I could be entirely mistaken on this.
There is no particular reason that this can't be fixed in some
future revisiion of the NRL software and I don't think it would be
hard to fix. A change in getassocbyspi() is about all that would be
required because the caller of getassocbyspi() does know whether an
ESP association or an AH association is being sought.
Phil Karn is right that the SPI number spaces should be separate for AH
and ESP because they are different protocols. All are correct that
the current RFCs do NOT make this point sufficiently clear. I intend
to fix this before Draft Standard. If I don't fix them when I put out
new I-Ds on 1825-1827, a gentle reminder to me that this needs fixing
and why it needs to be fixed how would be entirely proper. With my
recent relocation, many of my notes on needed fixes/clarifications for
the documents are lost to me.
My access to the ipsec list remains erratic, in part due to matters
beyond the control of anyone on my end of the list. Stuff that one
needs me to see should Bcc: me in addition to the list to be safe.
By the way, there is a plan to rehost the ipsec list onto a system
at a different organisation (the new system will be running MajorDomo
with MMDF), but that will be implemented in January at the earliest.
Ran
rja@cisco.com
Follow-Ups: