[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New SPI when renegotiate keys?

To: cjgibson@semaphorecom.com (Catherine Gibson)
Subject: Re: New SPI when renegotiate keys?
From: Dan.McDonald@eng.sun.com (Dan McDonald)
Date: Wed, 6 Aug 1997 14:12:01 -0700 (PDT)
Cc: ipsec@tis.com
In-Reply-To: <0171F2F8F9E5D011A4D10060B03CFB449136@scc-server3.semaphorecom.com> from "Catherine Gibson" at Aug 6, 97 10:18:13 am
Sender: owner-ipsec@ex.tis.com

> I know when ISAKMP renegotiates a new key with a remote partner that the
> documentation says this creates a new SA. Does this new SA have to have
> a different SPI than the previous one?

I believe so.  And if I'm wrong, I'd like to see my reasons for why
countered.

> If so, why?

Because IP has no delivery guarantees, and changing the keys on an existing
SA will scramble packets that arrive AFTER the rekeying, but were
encrypted/authenticated BEFORE the rekeying.  Hey, it's IP, anything can
happen.

Consider the following SA:

	A -> B, AH HMAC-MD5, SPI = 0x84001100, key = <foo>

So I receive some packets for SA {B, 0x84001100}.  Suddenly I perform an
ISAKMP regnegotiation and change the key from <foo> to <bar>.

But say before that happened, a packet left A.  Let's say that the packet got
caught in a routing loop while the ISAKMP exchange took place.  Suddenly this
old packet arrives at B, and the SA lookup succeeds.  But now, the key is
different so it won't authenticate.

Dan

Follow-Ups:

Re: New SPI when renegotiate keys?

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

References:

New SPI when renegotiate keys?

From: Catherine Gibson <cjgibson@semaphorecom.com>

Prev by Date: Corner-case question
Next by Date: Re: New SPI when renegotiate keys?
Prev by thread: New SPI when renegotiate keys?
Next by thread: Re: New SPI when renegotiate keys?
Index(es):
- Main
- Thread