[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec -- SPI ranges
>>>>> "Ran" == Ran Atkinson <rja@inet.org> writes:
Ran> storage for IPsec SAs can often determine the SPI collision
Ran> _before_ sending the SPI back to the remote end (via
Ran> Photuris, ISAKMP, whatever) so that the KM exchange gets
Ran> delayed 1-2 seconds (while the receiving end selects another
We always ask the SA database engine to allocate a new SPI.
Ran> Not all implementations will have that property, but those
Ran> that do might try the above approach.
There is also an issue with dividing the SPI space up:
Attacker: "oh look. Manually keyed SPIs. These should be worth attacking."
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | I do IPsec policy code for SSH <http://www.ssh.fi/>
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
References: