Re: SPI orthogonality

[Sheila Frankel <frankel@csmes.ncsl.nist.gov>]

>Ben and Rodney are right; SPIs are per security protocol, as well as per
>destination.  We received no requests for changes to this text in the last
>round of I-D reviews.  The text, essentially identical for both both AH and
>ESP, describes SPIs as follows:
>
>2.X  Security Parameters Index
>
>The SPI is an arbitrary 32-bit value that uniquely identifies the
>Security Association for this datagram, relative to the destination IP
>address contained in the IP header (with which this security header is
>associated) and relative to the security protocol employed.


This does seem to require separate SPI spaces for AH and ESP.  However, that
is not made clear in the Architecture document.  The latest architecture
draft that I've seen (draft-ietf-ipsec-arch-sec-01.txt) from Nov. 96, says
(p. 6):

"The combination of a given SPI and Destination Address uniquely identifies
a particular Security Association. ... A single IPsec Security Association
is a simplex connection with which either AH or ESP is employed."

This means that an SA can only cover either AH or ESP, but not both.
However, a single SPI space for both AH and ESP would appear to satisfy the
requirements as set forth in the Architecture Draft.  Since the Architecture
Draft touches on this issue, it should do so in a totally unambiguous
manner, for example:

The combination of a given SPI, Destination Address, and Security Protocol
(AH or ESP) uniquely identifies a particular "Security Association."

The definition of SPI (p. 2 of the Architecture Draft) should also be changed.

---

Follow-Ups:

• Re: SPI orthogonality
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: SPI orthogonality
• Next by Date: Re: SPI orthogonality - two comments
• Prev by thread: Re: SPI orthogonality
• Next by thread: Re: SPI orthogonality
• Index(es):
  • Main
  • Thread