[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Manual SA SPI range



On Fri, 19 Jan 2001, Mason, David wrote:
> I'm not sure why one would need to reserve SPIs for manual keys.  The manual
> keys would be loaded on system startup and IKE would therefore never use
> them.

Manual keying isn't necessarily confined to VPN-like applications, where
connections are established at startup time and never changed thereafter.

> ...the chance that whatever SPI chosen is already in
> use would quite small (and the IKE negotiated SA that is using it, could be
> made to rekey upon load of the manual key, thereby freeing up that SPI).

However, the interactions involved may be awkward, and it looks simpler --
given that some users want to use manual keying but it's not something we
want to put a lot of support work into -- to just reserve a small range as
a manual-keying playpen.  (This involves *no* extra code, since there is
already a reserved range and this just expands it slightly.)

                                                          Henry Spencer
                                                       henry@spsystems.net



References: