[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: INVALID SPI Notify

To: vvolpe@cisco.com
Subject: Re: INVALID SPI Notify
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Mon, 19 Jun 2000 09:39:06 -0700
CC: ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <8D0E009FB517D41183C60090277A3DDE0F4F5E@liam.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Victor,

vvolpe@cisco.com wrote:
> 
> > I just noticed that the Invalid SPI notify message in the notify draft is
> > intended to indicate an unacceptable SPI received during a Phase 2
> > negotiation.  Can Invalid SPI also be used when an IPsec packet is
> > received on an unknown SPI, assuming a Phase 1 SA is established to the
> > peer and the message can be encrypted.  If the answer is yes, what is the
> > format everyone is using?  If the answer is no, then has this changed
> > recently?
> >
> > Victor

Actually, I meant to propose this to the group a few weeks ago, as I am
planning on rev'ing the notify messages draft soon. We have two options:
either add another notify message for this, or expand the use of the
existing INVALID-SPI message. A few of us think that expanding the use
of the existing message is simplest, and could be accomplished by simply
setting the DOI to 0 (isakmp) when it's phase 1, and setting it to 1
(ipsec) when it's for phase 2. 

Does anyone have any comments on this?

Scott

Follow-Ups:

Re: INVALID SPI Notify

From: Ben McCann <bmccann@indusriver.com>

References:

INVALID SPI Notify

From: vvolpe@cisco.com

Prev by Date: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
Next by Date: Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
Prev by thread: INVALID SPI Notify
Next by thread: Re: INVALID SPI Notify
Index(es):
- Main
- Thread