[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: src addr/SPI coupling

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: src addr/SPI coupling
From: Michael Thomas <mat@cisco.com>
Date: Mon, 7 May 2001 11:24:22 -0700 (PDT)
Cc: Michael Thomas <mat@cisco.com>, ipsec@lists.tislabs.com
In-Reply-To: <Pine.LNX.4.21.0105071007080.2439-100000@janpc-home.cisco.com>
References: <15094.53290.539696.864321@thomasm-u1.cisco.com><Pine.LNX.4.21.0105071007080.2439-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Jan Vilhuber writes:
 > Actually, section 4.1 from rfc 2401 states:
 > 
 >    A security association is uniquely identified by a triple consisting
 >    of a Security Parameter Index (SPI), an IP Destination Address, and a
 >    security protocol (AH or ESP) identifier. [...]
 > 
 > It's not the source address.

   OK, that changes the sense of the problem, but not
   the original question. Why does there need to be
   any dependency on the destination address to 
   select the right SA? This still seems like it 
   could run into trouble on the mobile node 
   incoming traffic if the destination address
   were "wrong" (which is, I think, the way a
   naive stack might view it.)

	      Mike

Follow-Ups:

Re: src addr/SPI coupling

From: Cheryl Madson <cmadson@cisco.com>

Re: src addr/SPI coupling

From: "jshukla" <jshukla@earthlink.net>

References:

src addr/SPI coupling

From: Michael Thomas <mat@cisco.com>

Re: src addr/SPI coupling

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: src addr/SPI coupling
Next by Date: Re: src addr/SPI coupling
Prev by thread: Re: src addr/SPI coupling
Next by thread: Re: src addr/SPI coupling
Index(es):
- Main
- Thread