[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SA identification
During Teusday's HIP BOF , JI raised a question that I had begun to
contemplate while working on revising 2401: why do we need three
values to identify an SA for incoming IPsec traffic? We currently
require matching on protocol (AH vs. ESP), SPI, and destination
address. It's clear that the protocol input can be made redundant by
assigning SPIs without protocol specificity. Some mobility problems
could be addressed if we ignored destination address. So, I have two
questions for the list:
- do we have any examples of plausible scenarios where we
need the destination address as a discriminator for inbound traffic
(inn addition to the SPI)?
- how strongly would vendors feel about changing the spec to
remove the requirement to match on all 3 values noted above?
Note that SA identification is a local matter for an IPsec receiver,
and thus it should be possible for a receiver to use just the SPI
just through appropriate management of that space. So the question is
really whether anyone manages SPIs in a fashion that relies on using
the other two values for differentiation.
Steve
Follow-Ups: