[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: correction on SPIs

To: ipsec@ans.net
Subject: Re: correction on SPIs
From: mjs@tycho.ncsc.mil (Mark J. Schertler)
Date: Wed, 13 Dec 95 15:06:18 EST
Cc: rja@cisco.com, sds@tycho.ncsc.mil


Ran Atkinson <rja@cisco.com> said:
> 
> 
> It turns out that my memory is not to be trusted (not entirely surprising :-).
> 
> The NRL software does indeed have separate number spaces for SPIs and so
> an AH session and an ESP session to the same destination with the same
> SPI value will indeed be different Security Associations in the Key
> Engine.  
> 
> IMHO, this is how all implementations ought to work.   Unless there is
> WG consensus to the contrary, I intend to make this separation
> very clearly required in the revision to RFC-1825 when I edit it
> in a few months.  This should not be hard to implement and makes things
> much simpler for the key mgmt mechanisms.
> 
> Ran
> rja@cisco.com
> 
Ran,

Requiring separate SPIs space for ESP and AH seems to break both the
ISAKMP and Photuris model of using a single SPI to reference the
complete set of protections (e.g. both ESP and AH) to be applied to a
packet.

The result of an ISAKMP or Photuris negotiation is a single SPI.  

Mark

Follow-Ups:

Re: correction on SPIs

From: "Uri Blumenthal" <uri@watson.ibm.com>

Prev by Date: Re: correction on SPIs
Next by Date: Re: correction on SPIs
Prev by thread: Re: correction on SPIs
Next by thread: Re: correction on SPIs
Index(es):
- Main
- Thread