[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange

To: Emmanuel Hislen <hislen@lucent.com>
Subject: Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Mon, 23 Apr 2001 17:27:13 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 23 Apr 2001 14:09:50 PDT." <3AE49A1E.FBDDF409@lucent.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> I now understand what I missed in the RFC: "The SPI chosen by the destination
> of the SA is used to derive KEYMAT for that SA". I just thought it was the
> contrary...
> 
> So for an incoming IPSEC packet, the SPI is the one that was allocated
> locally. Still I do not get it: why should we use the destination address
> from the outer IP header for a lookup in our SAD?? 

This was discussed recently in this WG; this may change in a future version of
the spec.  The one answer which seemed to "stick" best is "Multicast".

That said, there's nothing stopping an implementation today from doing
as you described and allocating unique SPI's for unicast addresses
from a space shared across all its destination addresses.

					- Bill

References:

Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange

From: Emmanuel Hislen <hislen@lucent.com>

Prev by Date: Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Next by Date: allowing transport mode...
Prev by thread: Re: Misc. issues: Inbound SA triple identification / Inbound&Outbound SA, selectors exchange
Next by thread: Re: Misc. issues: Inbound SA triple identification /Inbound&Outbound SA, selectors exchange
Index(es):
- Main
- Thread