[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI orthogonality



>  FWIW though, I also know of several implementations that
> treat the SPI-space as a single namespace and I do not believe 
> that there are any operational problems with doing so.  

	IF the destination address is a unicast IP address
AND the node assigns its own SPIs, then I do not believe there
will be an interoperability problem.  

	My (possibly outdated or faulty) recollection is
that while a destination node normally assigns its own SPI
values, this is not a strict requirement of the IPsec specifications.
So that assumption is probably not a safe one to make.

	One could easily imagine using a KDC (e.g. Kerberos) 
to distribute IPsec SAs and having that KDC allocate SPIs 
on behalf of the nodes using that KDC.  In such a KDC situation, 
the second prerequisite would not hold and interoperability problems
would result from an implementation treating the "SPI space as a 
single namespace".  In some situations, it is _desirable_ for 
a KDC to be able to assign SPIs on behalf of its clients.  Hence,
mandating that each node assign its own SPI values seems unduly
restrictive.

	  Further, ESP and AH were intentionally designed to be
independent of the key management protocol in use.  For example,
Photuris is rumoured to have an implementation now.  Kerberos is
easily extended to support IPsec.  Other key management techniques
(e.g. ANSI's KM protocol) are likely to also be used in some
environments.

	IF the destination address is a multicast IP address
(implicitly this means there is more than one member of
the IP multicast group), then the receiving node generally is
not the node assigning the SPIs for that destination address.
This means that the second property (top) does not hold for
multicast destination addresses.  Hence, interoperability
problems will result from an implementation treating the 
"SPI space as a single namespace".
		
> I defy an outside observer to determine whether this is or is not 
> the case...

	I think I have outlined several specific situations
where an outside observer _can_ determine whether a particular
implementation supports separate SPI spaces.  I would urge 
that implementers not currently conforming with this aspect
of the IPsec specifications reconsider this portion of 
their implementation because of the interoperability
issues that it causes.

Best wishes,

Ran
rja@inet.org




References: