[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI orthogonality

To: Stephen Kent <kent@bbn.com>
Subject: Re: SPI orthogonality
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Thu, 10 Jul 1997 11:01:22 -0400
Address: 1 Amherst St., Cambridge, MA 02139
Cc: ipsec@tis.com
In-Reply-To: Stephen Kent's message of Wed, 9 Jul 1997 18:57:29 -0400,<v03007811afe9b2d40df7@[128.89.0.110]>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

I think the main problem is one of terminology.  To quote the SPI text:

>The SPI is an arbitrary 32-bit value that uniquely identifies the
>Security Association for this datagram, relative to the destination IP
>address contained in the IP header (with which this security header is
>associated) and relative to the security protocol employed.  

This statement, while technically correct (the last clause is critical),
is perhaps confusing to some in the case where a datagram has both AH
and ESP applied to it.  Suppose host A exchanges keying material with
host B, and then uses said keying material to protect datagrams using
both AH and ESP ---- how many security associations are there between
host A and host B?  Are there one, or are there two?

If you answer that there is only one security association, then the
first part of the above definition can be confusing --- because there
are two SPI's, one for AH and one for ESP.

I believe this is the crux of Bill's compliant.  

							- Ted

Follow-Ups:

Re: SPI orthogonality

From: Stephen Kent <kent@bbn.com>

Re: SPI orthogonality

From: Randall Atkinson <atkinson@itd.nrl.navy.mil>

References:

Re: SPI orthogonality

From: Stephen Kent <kent@bbn.com>

Prev by Date: ESP Introduction
Next by Date: Re: SPI orthogonality
Prev by thread: Re: SPI orthogonality
Next by thread: Re: SPI orthogonality
Index(es):
- Main
- Thread