[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec -- SPI ranges




>>>>> "Ran" == Ran Atkinson <rja@inet.org> writes:
    Ran> storage for IPsec SAs can often determine the SPI collision
    Ran> _before_ sending the SPI back to the remote end (via
    Ran> Photuris, ISAKMP, whatever) so that the KM exchange gets
    Ran> delayed 1-2 seconds (while the receiving end selects another

  We always ask the SA database engine to allocate a new SPI.

    Ran>   Not all implementations will have that property, but those
    Ran> that do might try the above approach.

  There is also an issue with dividing the SPI space up:
  Attacker: "oh look. Manually keyed SPIs. These should be worth attacking."

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |   I do IPsec policy code for SSH <http://www.ssh.fi/>
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 






References: