Re: src addr/SPI coupling

[Joern Sierwald <joern.sierwald@F-Secure.com>]

At 09:41 07.05.01 -0700, Michael Thomas wrote:
 >
 >Fearlessly trudging ahead with my Stupid Question
 >series, it's my understanding that IPsec
 >implementations upon receiving a packet with AH/ESP
 >in it check both the SPI and the source address in
 >the incoming packet to determine which security
 >context to use. Assuming that I don't have that
 >part wrong, what advantage is there in coupling
 >the two? Ordinarily, the SPI is chosen by the
 >receiver and could easily be unique against it's
 >entire set of SA's so it doesn't seem to be 
 >required from a demux standpoint.
 >
 >I can think of some down sides to this: mobilty,
 >renumbering and multihoming wouldn't find this
 >behavior very friendly. The reason I bring this up
 >is because I've been working off and on on a draft
 >so that MIPv6 binding updates can use ESP
 >instead/in addition to AH. One thing that comes us
 >is that the MIP folks are expecting the Home
 >Address option to be outside of the ESP
 >encapsulation so that it can be used to select the
 >proper security context (along with the
 >SPI). Since it might be encrypted if it were
 >inside, you obviously have a cart before horse
 >problem, and you obviously want it protected
 >from tampering...
 >
 >It seems that relaxing the source address coupling
 >with the SPI would address that particular
 >problem, as well as allow SA's to survive
 >renumbering and multihoming failover...
 >
 >		Mike
 >
 >

So got it wrong. Entirely. The source address is not checked.
An IPsec box can choose the SPI of _incoming_ traffic, thus it
can avoid collisions easily.

Jörn

---

References:

• src addr/SPI coupling
• From: Michael Thomas <mat@cisco.com>

---

• Prev by Date: Re: src addr/SPI coupling
• Next by Date: Re: src addr/SPI coupling
• Prev by thread: Re: src addr/SPI coupling
• Next by thread: Firewall/IPsec question
• Index(es):
  • Main
  • Thread