[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Bill Sommerfeld wrote:
> > For an outbound SA, the destination address is actually the right key.
> >
> > For an inbound SA, the IP address wich allows us to uniquely identify an
> > SA, along with the SPI and the protocol, is the SOURCE IP address. There
> > is no reason why two remote peers would not allocate the same SPI. I'd
> > say we even need to consider the source IP address of the cryptographic
> > endpoint: in tunnel mode we need to know the IP address of the IPSEC
> > tunnel endpoint in order to uniquely identify the SA for an incoming
> > packet.
> >
> > Is this correct?
>
> No. The receiver is responsible for allocating unique SPI values and
> communicating them to the sender.
>
> - Bill
Thanks for the fast answer!
I now understand what I missed in the RFC: "The SPI chosen by the destination
of the SA is used to derive KEYMAT for that SA". I just thought it was the
contrary...
So for an incoming IPSEC packet, the SPI is the one that was allocated
locally. Still I do not get it: why should we use the destination address
from the outer IP header for a lookup in our SAD?? We ARE the destination,
this is no information!!
I see 2 possibilities:
- we allocated the SPI, so if we made it unique "system-wide" for the current
protocol, we do not even need any IP address information to find the SA.
- we allocated the SPI but we only guarantee it is unique for the current
remote peer and the current protocol. Then we need to make a lookup based on
the Source IP address of the incoming packet (and the protocol, and the SPI
of course).
Is this better???
Thanks again,
Emmanuel.
--
Emmanuel Hislen
Lucent Technologies INS
Follow-Ups:
References: