[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI orthogonality

To: piper@cisco.com (Derrell Piper)
Subject: Re: SPI orthogonality
From: Dan.McDonald@eng.sun.com (Dan McDonald)
Date: Thu, 10 Jul 1997 11:39:56 -0700 (PDT)
Cc: ipsec@tis.com
In-Reply-To: <199707092354.QAA14009@pita.cisco.com> from "Derrell Piper" at Jul 9, 97 04:54:13 pm
Sender: owner-ipsec@ex.tis.com

<SNIP!>

> FWIW though, I also know of several implementations that
> treat the SPI-space as a single namespace and I do not believe that there
> are any operational problems with doing so.  I defy an outside observer to
> determine whether this is or is not the case...

Two words:   Manual Keying
The aforementioned implementations might choke on the legitimate manual adds
of:

	add esp 0x2112 224.0.0.1 ....
	add ah 0x2112 224.0.0.1 ....

Though quite honestly, the proliferation of ISAKMP/Oakley I'm seeing both
here and on ANX-Sec suggest that in a real operational environment, Derrell's
challenge will go unmet for the very reasons Dan H. suggests in another note
on this list already!

Glad we made sure we're clear on the question.

Dan McD.

References:

Re: SPI orthogonality

From: Derrell Piper <piper@cisco.com>

Prev by Date: Re: SPI orthogonality
Next by Date: Re: SPI orthogonality
Prev by thread: Re: SPI orthogonality
Next by thread: Re: SPI orthogonality
Index(es):
- Main
- Thread