Re: [Ipsec] IPsec AH and ESP -- changes

[Paul Koning <pkoning@equallogic.com>]

>>>>> "Karen" == Karen Seo <kseo@bbn.com> writes:

 Karen> Brian, Markku, George, Thank you for the comments.  Is the
 Karen> following a correct summary?

 Karen> 1. It's OK for Searches (1) and (2) to NOT use protocol (AH or
 Karen> ESP). With unicast SAs, the receiver chooses the SPI and can
 Karen> have separate SPI spaces for AH and ESP if it wishes; but for
 Karen> multicast/etc SAs, a central Group Controller/Key server is
 Karen> assigning the SPIs and will ensure that there is no overlap
 Karen> between AH SPIs and ESP SPIs.

 Karen> 2. Searches (1) and (2) will be changed from "destination
 Karen> multicast address" to "destination address".

 Karen> 3. Search (3) will be changed to "Search the SAD for a match
 Karen> on only {SPI}, or optionally {SPI, protocol}".

Perhaps more accurate would be "on only {SPI} if the receiver has
chosen the SPI to maintain separate SPI spaces for AH and EPS, and on
{SPI, protocol} otherwise".  That makes the dependency with the
implementation choice described under item 1 explicit.

       paul


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec