[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: INVALID SPI Notify



Hi Ben,

Ben McCann wrote:
> 
> When would IKE complain of an invalid SPI during a phase 2 exchange? Its
> a 32-bit random number selected by the sender. The only case I can see
> is if the SPI was less than 256. (These values, I believe, are forbidden
> in IPSEC).
> 
> Should IKE treat an _illegal_ value for the SPI during Phase 2 as some
> kind of protocol error that is distinct from INVALID-SPI? If it did, then
> INVALID-SPI can be unambiguously used by IPSEC to report receipt of an IPSEC
> packet whose SPI doesn't exist in the SAD.
> 
> Use of the DOI to select between ISAKMP and IPSEC also works. I'm just
> curious why and when IKE (isakmp) is ever required to report INVALID-SPI.

Guess I was a bit hasty in my reply - by "phase 2", I meant the case
where an spi is rec'd with no corresponding entry. On the other hand, I
think invalid-spi would still be appropriate if ike rec'd an spi less
than 256. We could use the protocol id in the notify message to
distinguish between whether it was with respect to an ongoing ike
negotiation vs an ipsec session...

Scott


References: