[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
responding to unknown SPIs
This is a request from the HIP WG for some information from IPsec WG
participants.
At IETF-59, there was some discussion on whether HIP (which functions
similar to an IPsec key management protocol) should respond to ESP
packets received with an unknown SPI.
Some issues raised included:
- don't IPsec key management protocols ignore these? (It was pointed
out by a participant that the latest draft of IKEv2 has support for
responding to them, in the Notify Payload)
- what if multiple keying daemons (HIP, IPsec) are running on the
same box-- do both respond?
- what is the appropriate response, if there is one? (inside/outside
SA context, rate limited, request to reestablish the SA?)
- is a response dependent on whether the localhost determines that
it has rebooted recently?
- in practice, if a reboot has occurred, won't applications have lost
their context anyway in this case? What is the scenario for which a
response is useful?
In looking at the latest draft (below), it seems that IKEv2 MAY
respond, either within the SA context or outside, to these
unknown SPIs, but there is not much further guidance given.
In summary, at the HIP WG it was not clear if this was a useful
mechanism, so we decided to defer to IPsec WG for guidance. Has
it been found to be useful?
Thanks,
Tom
From http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-12.txt
INVALID_SPI 11
MAY be sent in an IKE INFORMATIONAL Exchange when a node
receives an ESP or AH packet with an invalid SPI. The
Notification Data contains the SPI of the invalid packet.
This usually indicates a node has rebooted and forgotten an
SA. If this Informational Message is sent outside the
context of an IKE_SA, it should only be used by the
recipient as a "hint" that something might be wrong (because
it could easily be forged).