[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange

To: Emmanuel Hislen <hislen@lucent.com>
Subject: Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Mon, 23 Apr 2001 16:17:46 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 23 Apr 2001 12:19:53 PDT." <3AE48059.8C57B476@lucent.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> For an outbound SA, the destination address is actually the right key.
> 
> For an inbound SA, the IP address wich allows us to uniquely identify an
> SA, along with the SPI and the protocol, is the SOURCE IP address. There
> is no reason why two remote peers would not allocate the same SPI. I'd
> say we even need to consider the source IP address of the cryptographic
> endpoint: in tunnel mode we need to know the IP address of the IPSEC
> tunnel endpoint in order to uniquely identify the SA for an incoming
> packet.
> 
> Is this correct?

No.  The receiver is responsible for allocating unique SPI values and
communicating them to the sender.

				- Bill

Follow-Ups:

Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange

From: Emmanuel Hislen <hislen@lucent.com>

References:

Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange

From: Emmanuel Hislen <hislen@lucent.com>

Prev by Date: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Next by Date: Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Prev by thread: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Next by thread: Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Index(es):
- Main
- Thread