[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Manual SA SPI range



> From: Henry Spencer <henry@spsystems.net>
  ...
>		SPIs below 256 are reserved for special purposes (only one
> of them is currently assigned:  0 is reserved for system internal use and
> may never appear in a packet)

Actually one other SPI value has been assigned by the IANA.
SPI 1 is assigned to the SKIP protocol.

http://www.isi.edu/in-notes/iana/assignments/spi-numbers

> The Linux FreeS/WAN project has decided to reserve all three-digit hex
> numbers, i.e. 0x100 through 0xfff, for manual keying (one-digit and
> two-digit hex numbers being the special-purposes area), and its automatic
> keying will never generate those.  At the moment, I don't know of anybody
> else who has copied this.

I like this idea.  It's completely arbitrary, but a useful informal
convention.  Users will inevitably ask what range is "safe" for them to
use for manual keying when they might use IKE with the same destination
address, so it's good to have something to tell them, even though it has
hardly any practical effect.  And it's trivial to implement since a
generated SPI should avoid 0-0xFF anyway, so one can just slightly raise
the upper bound of that range.  0x100-0xFFF seems like a reasonable
chunk of space to set aside.  I think I'll make SunScreen follow and
document this convention too, so there's the start of a de facto
standard for you.

					-=] Mike [=-


References: