[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multi-homed nodes and SAs for incoming packets

To: ipsec@tis.com
Subject: Multi-homed nodes and SAs for incoming packets
From: suresh@livingston.com (Pyda Srisuresh)
Date: Mon, 8 Jun 1998 07:56:00 -0700 (PDT)
Cc: suresh@livingston.com (Pyda Srisuresh)
Sender: owner-ipsec@ex.tis.com


Hi,

Question on multi-homed nodes. This may have been previously hashed in 
the mailing list already. If so, I would appreciate if you could refer me 
to a mail archival. Thanks.

Say, a VPN node X is multi-homed (i.e., has multiple network interfaces
and IP addresses); and is using IKE application to negotiate IPsec SAs.
X is supposed to use the tuple of (<Dest. address>, SPI, <protocol>) to 
find the SA the incoming packet belongs to. In reality, the destination
IP address doesnt matter so long as it matches one of the addresses used 
by X.  Most nodes are likely to have a single SPI index table (per 
protocol, may be) for the box, not one for each address of the box.

So, is it fair to assume that an SPI, once nogitiated using one address
of the box, is equally valid for all addresses pertaining to the same box?
If not, what are the logistics against this?

Thanks.

cheers,
suresh

Follow-Ups:

Re: Multi-homed nodes and SAs for incoming packets

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: Comments on the latest Security architecture draft
Next by Date: IKE implementation issues
Prev by thread: RE: Rest of World encryption hardware products?
Next by thread: Re: Multi-homed nodes and SAs for incoming packets
Index(es):
- Main
- Thread