[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec -- SPI ranges

To: rja@inet.org (Ran Atkinson)
Subject: Re: IPsec -- SPI ranges
From: Cheryl Madson <cmadson@cisco.com>
Date: Sat, 11 Oct 1997 12:19:26 -0700 (PDT)
Cc: chk@utcc.utoronto.ca, ipsec@tis.com, kseo@bbn.com, rgm3@chrysler.com, skent@bbn.com
In-Reply-To: <Chameleon.876583220.rja@c8-a.snvl1.sfba.home.com> from "Ran Atkinson" at Oct 11, 97 04:17:25 pm
Sender: owner-ipsec@ex.tis.com

On the subject of SPIs:

At the last bakeoff I encountered a few parties who simply started
their SPIs from 256. The SPIs really should (must?) be random. 

At the moment, if you give me (your) SPI, and I already happen to
have it in my SADB (say you restarted your SADB and I didn't), I
will reject it due to a duplicate SPI. I suppose I *could* tear 
down the old SA in favor of the new one, but I haven't convinced
myself yet that this is a good idea.

On my side, I'll randomly generate an SPI, check that it's > 255,
and check for collisions. 

I also do not recognize a separate range for manually-keyed SAs, 
although I can understand where it could be a problem to install
manual SAs on an already-running system, in case the SPI that 
you chose was alraedy in use (remember, you need to coordinate
the SPI value with someone else). As I use randomly-generated
SPIs for non-manually keyed SAs, I figure that the chance of
collision is low, so I haven't considered it to be a serious
problem. 

- C

References:

Re: IPsec -- SPI ranges

From: Ran Atkinson <rja@inet.org>

Prev by Date: Re: IPsec -- SPI ranges
Next by Date: PFS negotiation
Prev by thread: Re: IPsec -- SPI ranges
Next by thread: PFS negotiation
Index(es):
- Main
- Thread