[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI orthogonality - two comments

To: ipsec@tis.com
Subject: Re: SPI orthogonality - two comments
From: Rodney Thayer <rodney@sabletech.com>
Date: Thu, 10 Jul 1997 09:20:35 -0400
In-Reply-To: <199707092354.QAA14009@pita.cisco.com>
References: <Your message of "Wed, 09 Jul 1997 14:57:51 EDT." <199707091857.OAA09672@carp.morningstar.com>
Sender: owner-ipsec@ex.tis.com

When we get to the stage of obscure boundry condition testing "for
conformance" this will become interesting.  Someone will come up with the
following argument:

"If SPI -n- is valid for ESP, and I send you a packet on SPI -n- that's an
AH packet, and you fail to send me back a "Protocol Unreachable" ICMP
message, you are in error."

I'm not saying they are correct, I'm expecting some kind of test jig to
make this sort of claim.

This is in fact a good problem to look forward to, because it will only
happen after we get the documents stabilized.

But right now and, for the sake of argument, for the next 3-12 months, I
believe you are right.

At 04:54 PM 7/9/97 -0700, Derrell Piper <piper@cisco.com> wrote:
>>The last time I asked this question, it was as a result of
>>inconsistencies between the IPsec and ISAKMP drafts.  The response was
>>that the IPsec draft was in error (and would be modified).  SA's are
>>indexed by SPI/Remote Address/Protocol triplets.
>
>That is correct.  FWIW though, I also know of several implementations that
>treat the SPI-space as a single namespace and I do not believe that there
>are any operational problems with doing so.  I defy an outside observer to
>determine whether this is or is not the case...

References:

Re: SPI orthogonality

From: Derrell Piper <piper@cisco.com>

Prev by Date: Re: SPI orthogonality
Next by Date: Re: SPI orthogonality
Prev by thread: Re: SPI orthogonality
Next by thread: Re: SPI orthogonality
Index(es):
- Main
- Thread