[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec -- SPI ranges

To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Subject: Re: IPsec -- SPI ranges
From: "C. Harald Koch" <chk@utcc.utoronto.ca>
Date: Fri, 10 Oct 1997 23:15:28 -0400
cc: Karen Seo <kseo@bbn.com>, rgm3@chrysler.com, skent@bbn.com, ipsec@tis.com
In-reply-to: tytso's message of "Fri, 10 Oct 1997 16:55:17 -0400". <199710102055.QAA27279@dcl.MIT.EDU>
References: <199710102055.QAA27279@dcl.MIT.EDU>
Sender: owner-ipsec@ex.tis.com

In message <199710102055.QAA27279@dcl.MIT.EDU>, "Theodore Y. Ts'o" writes:
> 
> 	Some of Bill Simpson's drafts did reserve the SPI ranges from
> 256-65535 for manual configuration, but none of his drafts which made
> such a claim were under formally consideration by the working group, and
> to my knowledge I haven't seen any request for this from the working
> group.  I've cc'ed this message to the ipsec mailing list.  If someone
> has a very good reason to want this speak up now.

I use the 256-65535 convention in my implementations. However, I don't see a
need to standardize this; "pick a number between 256 and 2^32 -1" has a small
probability of colliding with an existing manual SA. Given a collision, I'd
do the same as with weak keys; fail the SA and re-start the SA negotiation
(Phase 2 in the case of ISAKMP).

-- 
Harald

Follow-Ups:

Re: IPsec -- SPI ranges

From: Ran Atkinson <rja@inet.org>

References:

Re: IPsec -- SPI ranges

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

Prev by Date: Re: IPsec Architecture -- proposed changes
Next by Date: Re: IPsec -- SPI ranges
Prev by thread: Re: IPsec -- SPI ranges
Next by thread: Re: IPsec -- SPI ranges
Index(es):
- Main
- Thread