[IPsec] Multiple IPsec proposals, same SPI?
Tero Kivinen <kivinen@iki.fi> Fri, 30 April 2010 08:55 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 58C743A6AC4 for <ipsec@core3.amsl.com>; Fri, 30 Apr 2010 01:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.123
X-Spam-Level:
X-Spam-Status: No, score=-1.123 tagged_above=-999 required=5 tests=[AWL=-0.383, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0VLlIn4miEZ for <ipsec@core3.amsl.com>; Fri, 30 Apr 2010 01:55:18 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id EB4733A6AC8 for <ipsec@ietf.org>; Fri, 30 Apr 2010 01:55:17 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3U8t2Rp008600 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Apr 2010 11:55:02 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3U8t2kq013234; Fri, 30 Apr 2010 11:55:02 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19418.39654.223692.207039@fireball.kivinen.iki.fi>
Date: Fri, 30 Apr 2010 11:55:02 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Dan McDonald <dan.mcdonald@oracle.com>
In-Reply-To: <20100429201312.GA1499@everywhere.SFBay.Sun.COM>
References: <20100429201312.GA1499@everywhere.SFBay.Sun.COM>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 7 min
X-Total-Time: 7 min
Cc: ipsec@ietf.org
Subject: [IPsec] Multiple IPsec proposals, same SPI?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 08:55:19 -0000
Dan McDonald writes: > Consider the example in section 3.3 of IKEv2bis, which I've edited for > brevity: > > SA Payload > | > +--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4, > | | 7 transforms, SPI = 0x052357bb ) > > (either way for ESN, three CBC ciphers, two hashes) > > +--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4, > | 4 transforms, SPI = 0x35a1d6f2 ) > (either way for ESN, two GCM ciphers) > > the example shows two distinct SPI values. > > Is it *required* that the SPI values be different? It is not required that SPI values are different. But it is required that recipient accepts such proposal where they are different. The SA allocation is completely local matter. > For example, PF_KEY has SADB_GETSPI which merely reserves an inbound > SPI value, without ANY other properties attached. IN theory, given > the above example, I could instead issue: > > SA Payload > | > +--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4, > | | 7 transforms, SPI = 0x052357bb ) > > (either way for ESN, three CBC ciphers, two hashes) > > +--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4, > | 4 transforms, SPI = 0x052357bb ) > (either way for ESN, two GCM ciphers) > > since I merely did a GETSPI which reserved 0x052357bb. Yes, that is also completely legal proposal. I.e. both versions must be supported by the receiving end, but sender end can only use whatever is more convinient for him. In some environments the SPI selection can be done so that part of the SPI indicates for example the crypto processor which will be taking care of the traffic, and if there are multiple crypto processors which have different capabilities, it might not be possible for sender end to select same SPI for all proposals. In other environments like in yours, it might be that SPI is same because it is allocated using one PF_KEY operation. Unfortunately this is also true for IKE SA rekey (where the half of the IKE SA SPIs are inside the Proposal payloads inside SA Payload), and that would be one place where I would like to change specification so they would need to be same in all proposals, but it is too late for that change. -- kivinen@iki.fi
- [IPsec] Multiple IPsec proposals, same SPI? Dan McDonald
- [IPsec] Multiple IPsec proposals, same SPI? Tero Kivinen