[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: INVALID SPI Notify



When would IKE complain of an invalid SPI during a phase 2 exchange? Its
a 32-bit random number selected by the sender. The only case I can see
is if the SPI was less than 256. (These values, I believe, are forbidden
in IPSEC).

Should IKE treat an _illegal_ value for the SPI during Phase 2 as some
kind of protocol error that is distinct from INVALID-SPI? If it did, then
INVALID-SPI can be unambiguously used by IPSEC to report receipt of an IPSEC
packet whose SPI doesn't exist in the SAD.


Use of the DOI to select between ISAKMP and IPSEC also works. I'm just
curious why and when IKE (isakmp) is ever required to report INVALID-SPI.

-Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111


Follow-Ups: References: