[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DOI Question (General, Not IP Specific)

To: Ran Atkinson <rja@cisco.com>
Subject: Re: ISAKMP DOI Question (General, Not IP Specific)
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Thu, 19 Dec 1996 17:11:00 -0500
Cc: ho@earth.hpc.org, ipsec@tis.com
In-Reply-To: rja's message of Thu, 19 Dec 1996 12:44:40 -0800. <199612192044.MAA10833@cornpuffs.cisco.com>
Sender: owner-ipsec@ex.tis.com

[this is a bit of a change in topic..]

>It depends on your local policy.  I've never quite understood why
>SPI's (as names standing for SA's) aren't under access control.  If
>Alice creates it, why should Bob be allowed to use it?

Actually, AH/ESP SPI's are not particularly convenient names for SA's
from the point of view of applications.

 1) They're unidirectional.  Knowing the inbound SPI a message was
protected with doesn't give you the outbound SPI to use for a reply to
the message..

 2) At least some of them expire and get replaced over time.

Because of these factors, I don't think SPI's should be visible at the
"normal" API; some sort of local-only "SA-set" identifier may be more
appropriate.

(In the case of the sockets API, it might make sense to put it into
the sockaddr; that way any program which just swaps the source and
destination sockaddrs to construct the reply will Do The Right Thing.
this is not likely to be an option for IPv4, but might be for IPv6..).

						- Bill

Follow-Ups:

Re: ISAKMP DOI Question (General, Not IP Specific)

From: Oliver Spatscheck <spatsch@cs.arizona.edu>

References:

Re: ISAKMP DOI Question (General, Not IP Specific)

From: Ran Atkinson <rja@cisco.com>

Prev by Date: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by Date: Re: Length field and ISAKMP-encrypted size
Prev by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Index(es):
- Main
- Thread