[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: src addr/SPI coupling

To: andrew.krywaniuk@alcatel.com
Subject: Re: src addr/SPI coupling
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Mon, 14 May 2001 13:54:29 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Sun, 13 May 2001 03:33:47 EDT." <000701c0dc8a$85b9ae70$1e31788a@andrewk3.ca.newbridge.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> Are (b) and (c) really a problem? The entropy provided by the SPIs is only
> needed to provide distinct keymat for multiple SAs in the same packet,
> right? A counter in the key derivation would serve the same purpose.

One reason for random SPI's is to make it harder for an off-path
attacker to flood you with with packets with valid spi's which must be
decrypted before they can be discarded.

					- Bill

References:

RE: src addr/SPI coupling

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: New draft on Dead Peer Detection
Next by Date: RE: src addr/SPI coupling
Prev by thread: RE: src addr/SPI coupling
Next by thread: RE: src addr/SPI coupling
Index(es):
- Main
- Thread