[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Manual key management issues
Hi Steve,
I have some questions regarding exchange of SPIs during Manual key management.
1. During Automatic key management, as we know, SPIs will be exchanged
priorto any data transfer with the help of ISAKMP. But, how are the SPIs
exchanged during Manual Key Management ?
2. Assuming that SPI is not exchanged prior to data transfer in manual key
management, we thought of implementing the matching of incoming packet with
the SAs by comparing the packet's Dest_address and Sec_protocol with the
SA counterparts. If we found that more than one SAs are matched than we do
an exhaustive processing and only process the packet with the totally
matching SA. Is this strategy fine ? Or is it that for conformance to IPSEC,
the SA has to be found by matching against the unique tuple (SPI, IPSEC
proto,Dest Addr)?
3. Also, once again in manual key management, we are planning to create SAs
for outgoing packets at run-time if a matching SA is not found in the SAD
by generating a unique SPI value. When are the SAs for receiving packets
created? Do we create SAs for the SPD entries in incoming direction at
bootup time and they are static, i.e., remain until the system is rebooted?
But, this might compromise the security if SAs remain for so long a period.
Thanks in Advance
Rohit
Rohit Aradhya
Rendzevous Onchip Pvt Ltd.
First Floor, Plot No 14
New Vasavi Nagar, Karkhana
Secunderbad -500019.
India
Phone No : (040)7742606
email address : rohit@trinc.com
Follow-Ups: