[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A pothole in ISAKMP/Oakley
> Also, it is possible to run a pseudo-random generator once, and use the
> new random value as SPI for both ESP and AH (since the spec also says
> they
> have separate SPI-spaces, see section 2.1 of ISAKMP draft 7). Is this
> broken ?
> I guess it is a border-line case.
The requirement for pseudo-random SPI's was not motivated by key management
concerns, but rather to protect against denial of service attacks, I thought.
> Will it interop, I think so.
I didn't realize that the IETF had strict constructionists!
Hilarie