[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPI orthogonality
Ben Rogers write:
> Derrell Piper writes:
> > >The last time I asked this question, it was as a result of
> > >inconsistencies between the IPsec and ISAKMP drafts. The response was
> > >that the IPsec draft was in error (and would be modified). SA's are
> > >indexed by SPI/Remote Address/Protocol triplets.
> >
> > That is correct. FWIW though, I also know of several implementations that
> > treat the SPI-space as a single namespace and I do not believe that there
> > are any operational problems with doing so. I defy an outside observer to
> > determine whether this is or is not the case...
> >
> > Derrell
>
> I'd guess that the problem lies in the fact that if my machine has a
> single SPI-space, and a remote machine proposes AH and ESP SA's with the
> same SPI (via SA management), I am unable to accept both of those SA's.
> (Note that these will both be indexed by SPI/Remote Addr, and since
> there is not a third index field, we will have a collision.)
>
> It seems that this is just a touch on the undesirable side. :)
You manage your own namespace. If an implementation does what Derrell
suggests (right or wrong) there shouldn't be a problem accepting SPIs from
a peer that does not. You tell me how you want me to talk to you. Provided
the SPI is less than 255 I don't care how you arrived at its value-- one
monolithic namespace or not. As long as each peer manage its own namespace
correctly there isn't a problem.
Dan.
References: