[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec -- SPI ranges

To: "C. Harald Koch" <chk@utcc.utoronto.ca>
Subject: Re: IPsec -- SPI ranges
From: Ran Atkinson <rja@inet.org>
Date: Sat, 11 Oct 97 16:17:25 GMT Daylight Time
Cc: ipsec@tis.com, Karen Seo <kseo@bbn.com>, rgm3@chrysler.com, skent@bbn.com
References: <97Oct10.231516edt.11649@janus.tor.securecomputing.com>
Sender: owner-ipsec@ex.tis.com


Harald,

   Also, many (most ?) implementations which retain a central storage for
IPsec SAs can often determine the SPI collision _before_ sending the SPI 
back to the remote end (via Photuris, ISAKMP, whatever) so that the KM exchange 
gets delayed 1-2 seconds (while the receiving end selects another SPI that really 
isn't in use) but the KM exchange does not ever need to be repeated.

  Not all implementations will have that property, but those that do might
try the above approach.

Ran

Follow-Ups:

Re: IPsec -- SPI ranges

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Re: IPsec -- SPI ranges

From: Cheryl Madson <cmadson@cisco.com>

References:

Re: IPsec -- SPI ranges

From: "C. Harald Koch" <chk@utcc.utoronto.ca>

Prev by Date: Re: IPsec -- SPI ranges
Next by Date: Re: IPsec -- SPI ranges
Prev by thread: Re: IPsec -- SPI ranges
Next by thread: Re: IPsec -- SPI ranges
Index(es):
- Main
- Thread