Re: Do we actually need dynamic ports?

[Tero Kivinen <kivinen@ssh.fi>]

Jan Vilhuber writes:
> The only minor difference (and I'm not saying it's important) is that
> you have to go through 'more' computation to delete and add a new SA,
> rather than adding to it, but that may be minor and not an issue at
> all. In particular: using up 'precious' entropy by having to come up
> with new key material, having to create a new SPI (and associated IKE
> delete payloads), and possibly having to rebuild some internal tree
> for the SA's (depends on implementation). Simply adding some selectors
> to an existing SA and keeping keys and SPI, *seems* easier, but may
> not actually make that much difference.

Adding might be easier in some environments, and impossible or very
difficult in some environments (if all SA state is implemented in
hardware, and the hardware does not support adding of SPIs). Also add
requires changes to the API/protocol etc used between the IKE and the
IPsec, where rekeying and delete fit in the current usage already.

> Paul proposed using a semantic where using the same 'SPI' in the
> proposal means that you are adding to the existing SPI. That could
> bear a closer look as well, although I think there's room for error
> there..

I tought that too, but as the responder can only select subset of the
selectors proposed to it, that could cause more trouble than it is
worth...
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/