[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SPI question
Steven,
> Waters> Isn't this the wrong way round? If the initiator is setting up
> an SA, it is probably because
> Waters> there is a packet waiting to go OUT.
> Waters>
> Waters> It seems more logical to me that the initiator should specify
> the SPI for the Initiator's OUTBOUND and
> Waters> the responder's INBOUND, and that the responder should create
> another SPI for the responder's
> Waters> OUTBOUND and the initiator's INBOUND.
> Waters>
> Waters> This is all guess-work though - I haven't read it anywhere. I
> know, you can tell :)
> Waters> Cheers, Steve.
You're right, this is the "common case" where I have a local policy
in for outgoing packets in place (specified in the SPD). These
"outgoing rules" are searched for a matching selector before a packet
leaves the machine, and therefore the resulting SPI of I is
"outgoing" and R's SPI is "incoming".
However, a question which is still open (to me) is: if there is no
former agreement between two systems to use IPSec, but one of them
requires, say AH for every incoming packet (what is an "incoming
rule"), every packet without AH will be dropped silently. The
"ignorant" sender will never get a packet to this machine. On the
other hand, if this packet would trigger an IKE exchange (where the
SPI-inbound/outboud relation is opposite now) this could be an entry
for DoS-attacks...
Kai
# Kai Martius #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology #
# PGP Fingerprint: to be compared after download of my key #
# Key and more info (especially IP-security related) see my Homepage #
# http://www.imib.med.tu-dresden.de/imib/personal/kai.html #
References: