[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI orthogonality

To: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Subject: Re: SPI orthogonality
From: Stephen Kent <kent@bbn.com>
Date: Wed, 9 Jul 1997 18:57:29 -0400
Cc: ipsec@tis.com
In-Reply-To: <199707091846.OAA00256@coredump.cis.upenn.edu>
Sender: owner-ipsec@ex.tis.com

Ben and Rodney are right; SPIs are per security protocol, as well as per
destination.  We received no requests for changes to this text in the last
round of I-D reviews.  The text, essentially identical for both both AH and
ESP, describes SPIs as follows:

2.X  Security Parameters Index

The SPI is an arbitrary 32-bit value that uniquely identifies the
Security Association for this datagram, relative to the destination IP
address contained in the IP header (with which this security header is
associated) and relative to the security protocol employed.  The set of
SPI values in the range 1 through 255 are reserved by the Internet
Assigned Numbers Authority (IANA) for future use; a reserved SPI value
will not normally be assigned by IANA unless the use of the assigned SPI
value is specified in an RFC.  It is ordinarily selected by the
destination system upon establishment of an SA (see the Security
Architecture document for more details).  (A zero value may be used
within an AH/ESP implementation for local debugging purposes, but no AH/ESP
packets should be transmitted with a zero SPI value.)  The SPI field is
mandatory.


I'm not sure what Bill finds "unclear" in this description, but I leave it
to the WG co-chairs to judge.  His text does provide more details re SPI
numeric ranges. However, that material was not present in the ESP of
transform RFCs, or previous ESP drafts.  I don't recall receiving Bill's
"proposed" text as a response to any of the ESP I-Ds that have been
published, so it was not included in the most recent ESP revisions.

I also don't understand Bill's explanation of the difference between an
SAID and an SPI, since an SA is identified by the SPI (in context).  Bill's
examples of Cookie pairs as the way an SA is defined, in the context of
specific key management protocols, does not clarify the difference for me,
and it would have to be generalized to encompass SAs that are manuallly
keyed.  This seems largely a moot issue, since the term "SAID" does not
appear anywhere in the AH,  ESP nor Arch Doc I-Ds.



Steve

Follow-Ups:

Re: SPI orthogonality

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

References:

SPI orthogonality

From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>

Prev by Date: Re: SPI orthogonality
Next by Date: Re: SPI orthogonality
Prev by thread: Re: SPI orthogonality
Next by thread: Re: SPI orthogonality
Index(es):
- Main
- Thread