[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPI and its length in the ISAKMP Proposal
John,
You're right there is no required SPI length for phase 1 negotiation
because (as you also note) the ISAKMP SA is identified by the cookies.
I send a SPI length of zero (and don't send a SPI). I also accept a
SPI length of anything and skip over the passed SPI. So I guess I'd accept
a SPI length of 1 in phase 1 since I really don't care. (If debugging is
on I'll report that a phase 1 SPI was passed but that's about all). Since
ver-08 of the draft prescribes its value to zero then I guess zero is
correct.
I'm not really sure where you got the idea that everyone is doing a
SPI size of 16. For IPSec negotiations it's 8. If you pass me 16 bytes of
SPI for phase 2 I'll reject it.
Dan.
> A piddly, I don't know if anyone will have trouble on this point but
> someone might:
>
> I don't see where any specific SPI length is required in the Proposal
> Payload of the Phase I ISAKMP negotiation. It is prescribed that its value
> should be zero, in the ISAKMP draft ver-08, "2.4 Identifying Security
> Associations".
>
> This suggests to me that everyone is obliged to accept any SPI length in a
> Phase I Proposal payload; it is even arguable a SPI length of zero is
> acceptable here. Or an odd number, like 1, but that would be really wierd.
>
> I know that in specification of the Notify and Delete payloads it is
> prescribed that the SPI is the cookie pair; but I would say nothing says
> this applies to the Proposal case.
>
> If everyone is producing size 16 now then it would be reasonable for
> everyone to agree it should be so, and for that clarification to appear in
> a later draft.
>
> Our implementation is going to send SPI length 16 in these Proposals, but
> will accept all lengths.
References: