[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on the latest Security architecture draft
>
>
> > 2. Secion 4.1. Defintion of an SA
> >
> > A Security Association(SA) is a triple of (Dest_Addr, SPI,
> > security_protocol). Yet, the SPI number is fixed by the initiator
> > and selected by the responder (refer ISAKMP and IKE documents).
> > There is a problem with the above two statements to work together.
>
> No there isn't.
>
> > Suppose there are 2 secure gateways (called SGW1 and SGW2) talking
> > to the same target dest. Address (hereafter called target), using
> > the same SPI number and same security protocol (say ESP). Surely,
> > the target node should maintain 2 SAs with different sets of
> > attributes (such as keys, SA lifetime etc..), one for traffic from
> > SGW1 and another for traffic from SGW2. Yet, the triple of both
> > these SAs on target is identical.
>
> Only if the target is broken. It should have generated a different
> SPI for each of the security gateways. If it did not, it's implementation
> of IPsec is broken.
> --
> Matt Thomas Internet: matt@ljo.dec.com
> Internet Locksmith WWW URL: <coming eventually>
> AltaVista Internet Software Disclaimer: This message reflects my own
> Littleton, MA warped views, etc.
>
So, I assume, you are saying that the target should pick the SPI number;
And, not the initiating gateways (SGW1, SGW2 in the above example).
Makes sense. But, as far as I can tell, this was left unspecified in
ISAKMP and IKE drafts. In particular, in section 4.1 of the latest
ISAKMP draft should have specified who sets the SPI number and
who uses it. The most obvious assumption to make is that the initiator
sets the SPI number along with the proposals and transforms in SA
payload and the responder selects one that suits the best. The draft
SHOULD document the roles of who sets the number and who uses the
number very clearly. It doesnt do that. Neither does the IKE draft.
Thanks.
cheers,
suresh
Follow-Ups: