[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: src addr/SPI coupling
Actually, section 4.1 from rfc 2401 states:
A security association is uniquely identified by a triple consisting
of a Security Parameter Index (SPI), an IP Destination Address, and a
security protocol (AH or ESP) identifier. [...]
It's not the source address.
jan
On Mon, 7 May 2001, Michael Thomas wrote:
>
> Fearlessly trudging ahead with my Stupid Question
> series, it's my understanding that IPsec
> implementations upon receiving a packet with AH/ESP
> in it check both the SPI and the source address in
> the incoming packet to determine which security
> context to use. Assuming that I don't have that
> part wrong, what advantage is there in coupling
> the two? Ordinarily, the SPI is chosen by the
> receiver and could easily be unique against it's
> entire set of SA's so it doesn't seem to be
> required from a demux standpoint.
>
> I can think of some down sides to this: mobilty,
> renumbering and multihoming wouldn't find this
> behavior very friendly. The reason I bring this up
> is because I've been working off and on on a draft
> so that MIPv6 binding updates can use ESP
> instead/in addition to AH. One thing that comes us
> is that the MIP folks are expecting the Home
> Address option to be outside of the ESP
> encapsulation so that it can be used to select the
> proper security context (along with the
> SPI). Since it might be encrypted if it were
> inside, you obviously have a cart before horse
> problem, and you obviously want it protected
> from tampering...
>
> It seems that relaxing the source address coupling
> with the SPI would address that particular
> problem, as well as allow SA's to survive
> renumbering and multihoming failover...
>
> Mike
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: