[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multi-homed nodes and SAs for incoming packets



>   Let me turn it around:
>   Since it is up to the destination node to allocate the SPI, 
> and it can therefore make sure that its SPI,<any-interface> is
> unique, can you give a reason why anyone should care about 
> whether or not a node considers its interfaces to be equivalent?

One reason would be to have fewer SAs. 

Say, my security policies allow VPNs to be established with peer 
nodes (identified by DNS FQDN name or address) on a policy based
selection criteria.

If I determine that an SA already exists to one of the addresses of 
a peer node, i would rather reuse the same outgoing SA for all of its
addresses than establish one for each address.

>   
>   There are serious security issues if the machine considers 
> its interfaces equivalent for all operations, btw.
> 

So long as all addresses are valid and equally accessible, what 
security issues are you concerned about?

cheers,
suresh


References: