[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec -- SPI ranges
Harald,
Also, many (most ?) implementations which retain a central storage for
IPsec SAs can often determine the SPI collision _before_ sending the SPI
back to the remote end (via Photuris, ISAKMP, whatever) so that the KM exchange
gets delayed 1-2 seconds (while the receiving end selects another SPI that really
isn't in use) but the KM exchange does not ever need to be repeated.
Not all implementations will have that property, but those that do might
try the above approach.
Ran
Follow-Ups:
References: