[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: src addr/SPI coupling




----- Original Message ----- 
From: "Michael Thomas" <mat@cisco.com>

 > 
 > Now wait a minute. I thought the receiver chose
 > the SPI.  If so, it owns that number space (modulo
 > Cheryl's comment about multicast), so there
 > shouldn't be collisions. If another sender tried
 > to use that SPI, it would imply that they have
 > keying material. 
 > 
 > Mike
 > 

SPI collision does not happen at the receiver,
but at the sender. The receiver can ensure
that the SPI does not conflict with another
SPI in its database, but it cannot ensure that
the sender has not chosen the same SPI for
"another" SA. (because multiple key material 
map to the same SPI).

regards,
Jayant
 > jshukla writes:
 >  > 
 >  > ----- Original Message ----- 
 >  > From: "Michael Thomas" <mat@cisco.com>
 >  > >    OK, that changes the sense of the problem, but not
 >  > >    the original question. Why does there need to be
 >  > >    any dependency on the destination address to 
 >  > >    select the right SA? This still seems like it 
 >  > 
 >  > To make sure that SA is unique!? SPI is only
 >  > 32 bits long and there is a finite chance of 
 >  > collision. 
 >  > 
 >  >         SPI is chosen by the destination of
 >  > SA who makes sure that it does not have two
 >  > identical SPIs (it does not prevent the source
 >  > from having the same SPI for another SA).
 >  >         The source of SA uses the destination 
 >  > address along with SPI to make sure that 
 >  > SA is unique (in the event there is a collision and 
 >  > the source ends up having two SAs that share 
 >  > a common SPI).
 >  > 
 >  > >    could run into trouble on the mobile node 
 >  > >    incoming traffic if the destination address
 >  > >    were "wrong" (which is, I think, the way a
 >  > >    naive stack might view it.)
 >  > > 
 >  > >       Mike
 >  > 
 >  > It will surely run into trouble. BTW, this 
 >  > problem is similar to the NAT problem. 
 >  > 
 >  > 
 >  > regards,
 >  > Jayant
 >  >




Follow-Ups: References: