[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: correction on SPIs

To: ipsec@ans.net
Subject: Re: correction on SPIs
From: Ran Atkinson <rja@cisco.com>
Date: Wed, 13 Dec 1995 13:48:55 -0800


% In my eyes, the whole reason to have SPI's is to put all the
% protocols and algorithms needed to deal with the given
% connection, in one place.

One can put them all in one place -- without having to share the number
space such that a single (dest addr, SPI) pair refers to _2_ separate
Security Associations.  The goal is that one (dest addr, SPI) pair
uniquely identifies the Security Association for the protocol carrying
the SPI field.  By the point one has an SPI to examine, one must already
know which protocol is being processed.  How one stores the Security
Association data is an implementation matter, not a specification matter.

Combining number spaces makes things MUCH harder IMHO.  Consider that 
we have more than just AH and ESP to consider (particularly in key mgmt, 
which ought to be generic to moving keys between systems and not tied to 
AH/ESP) that we already have OSPF with MD5, RIPv2 with MD5, and a concrete
proposal for RSVP with MD5.  The list of protocols that have built-in
cryptographic mechanisms is getting longer, not shorter.  We need a
generic approach that will scale.  Separate number spaces has this
property. 

Ran
rja@cs.nrl.navy.mil

Prev by Date: Re: correction on SPIs
Next by Date: Re: correction on SPIs
Prev by thread: Re: correction on SPIs
Next by thread: Re: correction on SPIs
Index(es):
- Main
- Thread