[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Inconsistent Specs.
It seems that there is an inconsistency between the most recent drafts
on IPsec and ISAKMP with respect to SPI/SA spaces. The IPsec draft
seems to indicate that there is a single SPI space shared by all
protocols, whereas the ISAKMP spec clearly indicates that this should
not be the case.
from draft-ietf-ipsec-arch-sec-01.txt:
SPI
Acronym for "Security Parameters Index." The combination of an SPI
and a destination address uniquely identifies a simplex security
association (SA, see below). The SPI is carried in IPsec protocols to
select the set of parameters bound to an SA. An SPI has only local
significance, defined by the creator of the SA; thus an SPI is generally
viewed as an opaque bit string. However, the creator of an SA may choose
to interpret the bits in an SPI to facilitate local processing.
[SNIP]
1.5 Security Association Management
The concept of a "Security Association" is fundamental to both the
IP Encapsulating Security Payload and the IP Authentication Header. The
combination of a given Security Parameter Index (SPI) and Destination
Address uniquely identifies a particular "Security Association". An
implementation of the Authentication Header or the Encapsulating Security
Payload MUST support this concept of a Security Association.
A single IPsec Security Association is a simplex (unidirectional)
connection with which either AH or ESP (but not both) is employed. If both
AH and ESP protection is to be applied to a traffic stream, then two (or
more) security associations are created to control processing of the
traffic stream.
from draft-ietf-ipsec-isakmp-07.txt:
Security Parameter Index (SPI) An identifier for a Security Assocation,
relative to some security protocol. Each security protocol has its own
``SPI-space''. A (security protocol, SPI) pair may uniquely identify an
SA. Depending on the DOI, additional information (e.g. host address) may
be necessary to identify an SA.
Follow-Ups: