SA identification

[Stephen Kent <kent@bbn.com>]

During Teusday's HIP BOF , JI raised a question that I had begun to 
contemplate while working on revising 2401: why do we need three 
values to identify an SA for incoming IPsec traffic? We currently 
require matching on protocol (AH vs. ESP), SPI, and destination 
address.  It's clear that the protocol input can be made redundant by 
assigning SPIs without protocol specificity. Some mobility problems 
could be addressed if we ignored destination address. So, I have two 
questions for the list:

	- do we have any examples of plausible scenarios where we 
need the destination address as a discriminator for inbound traffic 
(inn addition to the SPI)?

	- how strongly would vendors feel about changing the spec to 
remove the requirement to match on all 3 values noted above?

Note that SA identification is a local matter for an IPsec receiver, 
and thus it should be possible for a receiver to use just the SPI 
just through appropriate management of that space. So the question is 
really whether anyone manages SPIs in a fashion that relies on using 
the other two values for differentiation.

Steve

---

Follow-Ups:

• Re: SA identification
• From: Henry Spencer <henry@spsystems.net>
• Re: SA identification
• From: Jari Arkko <jari.arkko@kolumbus.fi>
• Re: SA identification
• From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

---

• Prev by Date: Minutes?
• Next by Date: Re: SA identification
• Prev by thread: Re: Minutes?
• Next by thread: Re: SA identification
• Index(es):
  • Main
  • Thread