[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: correction on SPIs
Ran Atkinson <rja@cisco.com> said:
>
>
> It turns out that my memory is not to be trusted (not entirely surprising :-).
>
> The NRL software does indeed have separate number spaces for SPIs and so
> an AH session and an ESP session to the same destination with the same
> SPI value will indeed be different Security Associations in the Key
> Engine.
>
> IMHO, this is how all implementations ought to work. Unless there is
> WG consensus to the contrary, I intend to make this separation
> very clearly required in the revision to RFC-1825 when I edit it
> in a few months. This should not be hard to implement and makes things
> much simpler for the key mgmt mechanisms.
>
> Ran
> rja@cisco.com
>
Ran,
Requiring separate SPIs space for ESP and AH seems to break both the
ISAKMP and Photuris model of using a single SPI to reference the
complete set of protections (e.g. both ESP and AH) to be applied to a
packet.
The result of an ISAKMP or Photuris negotiation is a single SPI.
Mark
Follow-Ups: