[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SPI question

To: Stephen Waters <Stephen.Waters@digital.com>
Subject: RE: SPI question
From: CJ Gibson <cjgibson@semaphorecom.com>
Date: Thu, 28 May 1998 09:38:00 -0700
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Steven,
the SPI value for an SA is always selected by the IPSec peer at the
target end of the SA, no matter who initiates the key negotiation. When
A does key negotiation with B, each sends it's chosen SPI value to the
other who saves it. When A sends a packet to B, A includes the SPI
chosen by B in the packet sent to B (and vice versa). When B receives a
packet, it uses the received SPI (which was chosen by itself) along with
other info to figure out who is the source of the packet and what
algorithms, etc. are to be used to decrypt the packet. 

FYI - I use the SPI as an index into a table which then points to my
control block which contains everything I know about the remote peer.

-CJ

	-----Original Message-----

	> Waters> Isn't this the wrong way round?  If the initiator is
setting up
	> an SA, it is probably because
	> Waters> there is a packet waiting to go OUT.
	> Waters>
	> Waters> It seems more logical to me that the initiator should
specify
	> the SPI for the Initiator's OUTBOUND and
	> Waters> the responder's INBOUND, and that the responder should
create
	> another SPI for the responder's 
	> Waters> OUTBOUND and the initiator's INBOUND.
	> Waters>
	> Waters> This is all guess-work though - I haven't read it
anywhere.  I
	> know, you can tell :)
	> Waters> Cheers, Steve.

Prev by Date: RE: mutiple phase 1 tunnel and proxy ID issues
Next by Date: Re: SA sharing question
Prev by thread: RE: SPI question
Next by thread: CFP: 1999 Network & Distributed System Security Symposium (NDSS '99)
Index(es):
- Main
- Thread