[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI orthogonality

To: ipsec@tis.com
Subject: Re: SPI orthogonality
From: Ben Rogers <ben@Ascend.COM>
Date: Thu, 10 Jul 1997 11:26:20 -0400 (EDT)
In-Reply-To: <199707092354.QAA14009@pita.cisco.com>
References: <199707091857.OAA09672@carp.morningstar.com><199707092354.QAA14009@pita.cisco.com>
Reply-To: ben@Ascend.COM (Ben Rogers)
Sender: owner-ipsec@ex.tis.com

Derrell Piper writes:
> >The last time I asked this question, it was as a result of
> >inconsistencies between the IPsec and ISAKMP drafts.  The response was
> >that the IPsec draft was in error (and would be modified).  SA's are
> >indexed by SPI/Remote Address/Protocol triplets.
> 
> That is correct.  FWIW though, I also know of several implementations that
> treat the SPI-space as a single namespace and I do not believe that there
> are any operational problems with doing so.  I defy an outside observer to
> determine whether this is or is not the case...
> 
> Derrell

I'd guess that the problem lies in the fact that if my machine has a
single SPI-space, and a remote machine proposes AH and ESP SA's with the
same SPI (via SA management), I am unable to accept both of those SA's.
(Note that these will both be indexed by SPI/Remote Addr, and since
there is not a third index field, we will have a collision.)

It seems that this is just a touch on the undesirable side. :)

ben

Follow-Ups:

Re: SPI orthogonality

From: Daniel Harkins <dharkins@cisco.com>

References:

SPI orthogonality

From: Ben Rogers <ben@Ascend.COM>

Re: SPI orthogonality

From: Derrell Piper <piper@cisco.com>

Prev by Date: Re: SPI orthogonality
Next by Date: Re: SPI orthogonality
Prev by thread: Re: SPI orthogonality - two comments
Next by thread: Re: SPI orthogonality
Index(es):
- Main
- Thread