[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on the latest Security architecture draft
> 2. Secion 4.1. Defintion of an SA
>
> A Security Association(SA) is a triple of (Dest_Addr, SPI,
> security_protocol). Yet, the SPI number is fixed by the initiator
> and selected by the responder (refer ISAKMP and IKE documents).
> There is a problem with the above two statements to work together.
No there isn't.
> Suppose there are 2 secure gateways (called SGW1 and SGW2) talking
> to the same target dest. Address (hereafter called target), using
> the same SPI number and same security protocol (say ESP). Surely,
> the target node should maintain 2 SAs with different sets of
> attributes (such as keys, SA lifetime etc..), one for traffic from
> SGW1 and another for traffic from SGW2. Yet, the triple of both
> these SAs on target is identical.
Only if the target is broken. It should have generated a different
SPI for each of the security gateways. If it did not, it's implementation
of IPsec is broken.
--
Matt Thomas Internet: matt@ljo.dec.com
Internet Locksmith WWW URL: <coming eventually>
AltaVista Internet Software Disclaimer: This message reflects my own
Littleton, MA warped views, etc.
References: