[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on the latest Security architecture draft
>
> Harold Koch cited where it is listed in the IKE document. The
> Architecture Security document also has this to say:
>
> SPI
> Acronym for "Security Parameters Index". The combination of a
> destination address, a security protocol, and an SPI uniquely
> identifies a security association (SA, see above). The SPI is
> carried in AH and ESP protocols to enable the receiving system to
> select the SA under which a received packet will be processed. An
> SPI has only local significance, as defined by the creator of the
> SA (usually the receiver of the packet carrying the SPI); thus an
> SPI is generally viewed as an opaque bit string. However, the
> creator of an SA may choose to interpret the bits in an SPI to
> facilitate local processing.
>
> So it is there in the documents.
>
> - Ted
>
OK, you have the material in the Glosary section (Apendix A, page 47)
of the Architecture document. I was looking to find this in the main
portion of this document. Perhaps, more so in IKE/ISAKMP documents.
Anyways, I would still recommend adding clarity to the text in IKE/ISAKMP
drafts.
One more thing: It seems, IKE negotiated ISAKMP/IPsec SA parameters
must be symmetric in both directions. Is this true? If not, can you give
me an example of how an asymmetric SA negotiation takes place, where the
initiator proposes NULL ESP and the responder accepts with MD-5 AH .
(i.e., initiator will receive NULL ESP packets and the responder will
receive MD-5 AH packets).
Thanks.
cheers,
suresh
References: