src addr/SPI coupling

[Michael Thomas <mat@cisco.com>]

Fearlessly trudging ahead with my Stupid Question
series, it's my understanding that IPsec
implementations upon receiving a packet with AH/ESP
in it check both the SPI and the source address in
the incoming packet to determine which security
context to use. Assuming that I don't have that
part wrong, what advantage is there in coupling
the two? Ordinarily, the SPI is chosen by the
receiver and could easily be unique against it's
entire set of SA's so it doesn't seem to be 
required from a demux standpoint.

I can think of some down sides to this: mobilty,
renumbering and multihoming wouldn't find this
behavior very friendly. The reason I bring this up
is because I've been working off and on on a draft
so that MIPv6 binding updates can use ESP
instead/in addition to AH. One thing that comes us
is that the MIP folks are expecting the Home
Address option to be outside of the ESP
encapsulation so that it can be used to select the
proper security context (along with the
SPI). Since it might be encrypted if it were
inside, you obviously have a cart before horse
problem, and you obviously want it protected
from tampering...

It seems that relaxing the source address coupling
with the SPI would address that particular
problem, as well as allow SA's to survive
renumbering and multihoming failover...

		Mike

---

Follow-Ups:

• Re: src addr/SPI coupling
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: src addr/SPI coupling
• From: Joern Sierwald <joern.sierwald@F-Secure.com>

---

• Prev by Date: Re: application layer cross checking
• Next by Date: Re: src addr/SPI coupling
• Prev by thread: Re: application layer cross checking
• Next by thread: Re: src addr/SPI coupling
• Index(es):
  • Main
  • Thread