[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on the latest Security architecture draft




>  2. Secion 4.1. Defintion of an SA
>
>     A Security Association(SA) is a triple of (Dest_Addr, SPI, 
>     security_protocol). Yet, the SPI number is fixed by the initiator 
>     and selected by the responder (refer ISAKMP and IKE documents).
>     There is a problem with the above two statements to work together.

No there isn't.

>     Suppose there are 2 secure gateways (called SGW1 and SGW2) talking 
>     to the same target dest. Address (hereafter called target), using 
>     the same SPI number and same security protocol (say ESP). Surely, 
>     the target node should maintain 2 SAs with different sets of 
>     attributes (such as keys, SA lifetime etc..), one for traffic from 
>     SGW1 and another for traffic from SGW2. Yet, the triple of both 
>     these SAs on target is identical. 

Only if the target is broken.  It should have generated a different
SPI for each of the security gateways.  If it did not, it's implementation
of IPsec is broken.
-- 
Matt Thomas                    Internet:   matt@ljo.dec.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.


References: