Re: SPI orthogonality

[Daniel Harkins <dharkins@cisco.com>]

Ben Rogers write:
> Derrell Piper writes:
> > >The last time I asked this question, it was as a result of
> > >inconsistencies between the IPsec and ISAKMP drafts.  The response was
> > >that the IPsec draft was in error (and would be modified).  SA's are
> > >indexed by SPI/Remote Address/Protocol triplets.
> > 
> > That is correct.  FWIW though, I also know of several implementations that
> > treat the SPI-space as a single namespace and I do not believe that there
> > are any operational problems with doing so.  I defy an outside observer to
> > determine whether this is or is not the case...
> > 
> > Derrell
> 
> I'd guess that the problem lies in the fact that if my machine has a
> single SPI-space, and a remote machine proposes AH and ESP SA's with the
> same SPI (via SA management), I am unable to accept both of those SA's.
> (Note that these will both be indexed by SPI/Remote Addr, and since
> there is not a third index field, we will have a collision.)
> 
> It seems that this is just a touch on the undesirable side. :)

You manage your own namespace. If an implementation does what Derrell
suggests (right or wrong) there shouldn't be a problem accepting SPIs from 
a peer that does not. You tell me how you want me to talk to you. Provided
the SPI is less than 255 I don't care how you arrived at its value-- one
monolithic namespace or not. As long as each peer manage its own namespace 
correctly there isn't a problem.

  Dan.

---

References:

• Re: SPI orthogonality
• From: Ben Rogers <ben@Ascend.COM>

---

• Prev by Date: Re: SPI orthogonality
• Next by Date: Re: SPI orthogonality
• Prev by thread: Re: SPI orthogonality
• Next by thread: Re: SPI orthogonality
• Index(es):
  • Main
  • Thread