[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI in Delete Payload of IKE / IKEv2

To: <ipsec@lists.tislabs.com>
Subject: Re: SPI in Delete Payload of IKE / IKEv2
From: "Atsuhiro Tsuji" <tsuji.atsuhiro@jp.panasonic.com>
Date: Fri, 7 Mar 2003 09:46:06 +0900
Cc: "'Atsuhiro Tsuji'" <tsuji.atsuhiro@jp.panasonic.com>
References: <001b01c2e3e8$146a16d0$292e1dc2@YnirNew>
Sender: owner-ipsec@lists.tislabs.com

Hi, Mr. Nir,

Thank you for your telling me the spec. of Delete Payload.
I understand that is reasonable under the current spec.

By the way, I wonder you don't mind that you tell me where the spec. is written.

On the other hand,
I think it is useful we can tell the deletion of the outbound SA to the peer,
and I wonder why don't we specify it...
Because "Simple is Best."?
Have anyone discussed this?

Thank you and I hope you help me again.

Atsuhiro Tsuji

----- Original Message -----
From: "Yoav Nir" <ynir@checkpoint.com>
To: "'Atsuhiro Tsuji'" <tsuji.atsuhiro@jp.panasonic.com>;
<ipsec@lists.tislabs.com>
Sent: Thursday, March 06, 2003 10:55 PM
Subject: RE: SPI in Delete Payload of IKE / IKEv2


> Hi,
>
> You send a Delete-SA to stop the peer from using that SA.  The IPsec SA is
> outbound for the peer, but inbound for you.
>
> If A and B negotiate an IPsec SA, A sends ESP packets with SPI 17, and B
> sends packets with SPI 49.  If A wants this traffic to stop, he sends B a
> Delete payload with the SPI field 49.
>
> To stop transmissions on SPI 17, A needs not send out anything.  It is
> enough that he stops using it.  It might have been nice to also be able to
> tell peer B that no more traffic will come with SPI 17, so that peer B has
> an easier time dropping fake packets, but this is not in the spec.
>
> Hope this helps.
>
> Yoav Nir
>
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On
> Behalf Of Atsuhiro Tsuji
> Sent: Thursday, March 06, 2003 2:51 PM
> To: ipsec@lists.tislabs.com
> Subject: SPI in Delete Payload of IKE / IKEv2
>
>
> Hi, all,
>
> I'd like to discuss about SPI value in the Delete Payload
> of IKE / IKEv2.
>
> It is the first time to send a question to the mailing list,
> so if my behavior/expression is not appropriate,
> please kindly point it out to me.
>
>
> As you know, there is a field which contains SPIs in Delete Payload
> of IKE / IKEv2. But I cannot find the direction of the SA.
> So, I'm confused I have to delete the INBOUND SA or OUTBOUND SA,
> especially for IPsec-SA.
>
> Is there any rule for this?
> I wonder we had better add a new field which indicates the direction.
>
> If you've already discussed this issue, please tell me the pointer
> for them.
>
> I'm looking forward to your joining this discussion.
>
> Thank you in advance.
>
> -----
>  Atsuhiro Tsuji [tsuji.atsuhiro@jp.panasonic.com]

Follow-Ups:
- RE: SPI in Delete Payload of IKE / IKEv2
  - From: "Yoav Nir" <ynir@CheckPoint.com>
- Re: SPI in Delete Payload of IKE / IKEv2
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- RE: SPI in Delete Payload of IKE / IKEv2
  - From: "Yoav Nir" <ynir@CheckPoint.com>

Prev by Date: Auth Method
Next by Date: Re: The CR payload still
Prev by thread: RE: SPI in Delete Payload of IKE / IKEv2
Next by thread: RE: SPI in Delete Payload of IKE / IKEv2
Index(es):
- Date
- Thread