Re: correction on SPIs

[Ran Atkinson <rja@cisco.com>]

% Could you be really specific about this, do you mean that we need a triple
% to define a security association, i.e.
% 
%  <spi, dst addr, protocol> -> security association

Hilarie,

It is an implementation detail whether a triple is needed or not.  If
an implementation has separate storage for AH Security Associations and
ESP Security Associations, then the triple is not needed.  If an implementation
has a single shared store for all Security Associations (ESP, AH, RIP, OSPF,
whatever), then a triple might be needed within that implementation in
order to locate the correct SA.    The NRL implementation of the Key
Engine is an example of a common store for all sorts of Security 
Associations (including routing protocol authentication, not just ESP or
AH).

The point here is that if I use (SPI =N, Dest Addr = Foo) for an AH
security association, I can (if I wish) still use (SPI =N, Dest Addr = Foo)
for a completely distinct ESP security association.  

It is NOT the case that a single Security Association can include both AH
and ESP.  It is the case that an AH security association might be used in
addition to an ESP security association for some packet headed for
some destination (so there is no loss of capability in the previous sentence).

This is one of several areas in RFC-1825 that is not clearly written.

Ran
rja@cisco.com

---

Follow-Ups:

• Re: correction on SPIs
• From: Hilarie Orman <ho@cs.arizona.edu>

---

• Prev by Date: Re: correction on SPIs
• Next by Date: Re: correction on SPIs
• Prev by thread: Re: correction on SPIs
• Next by thread: Re: correction on SPIs
• Index(es):
  • Main
  • Thread