[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-des-md5-00.txt



In message <9605012213.AA21306@secpwr.watson.ibm.com>, pau@watson.ibm.com write
s:
>
>For now, I am using addresses. But addresses may not work if NAT
>(network address translation) is used. SPI may be a candiate, but
>the two sides may choose the same SPI value. Perhaps this problem
>should be resolved at IKMP layer rather than at IPSEC layer ?
>The only thing the IKMP layer needs to do is to give IPSEC layer
>a 1-bit flag to indicate direction.
>
>I know that <I-cookie, R-cookie> and <R-cookie, I-cookie> pairs
>can be used to derive 2 uni-directional keys. But can IPSEC assumes
>cookies will always be used ?
>
Anything on the packet that is not covered by an AH (or equivalent)
header cannot be used for creating two keys. My feeling is that this
is a KMP layer "problem". And then, i always opt for the greatest
flexibility, which in this case means that the KMP should load each
SPI/address/key tupple separately (maybe massively, but the key would
be explicitly specified). Might make life easier in the future. And
it's simpler too (or seems so).
-Angelos


References: