RE: SPI question

[Kai Martius <admin@imib.med.tu-dresden.de>]

Steven,

> Waters> Isn't this the wrong way round?  If the initiator is setting up
> an SA, it is probably because
> Waters> there is a packet waiting to go OUT.
> Waters>
> Waters> It seems more logical to me that the initiator should specify
> the SPI for the Initiator's OUTBOUND and
> Waters> the responder's INBOUND, and that the responder should create
> another SPI for the responder's 
> Waters> OUTBOUND and the initiator's INBOUND.
> Waters>
> Waters> This is all guess-work though - I haven't read it anywhere.  I
> know, you can tell :)
> Waters> Cheers, Steve.  

You're right, this is the "common case" where I have a local policy 
in for outgoing packets in place (specified in the SPD). These 
"outgoing rules" are searched for a matching selector before a packet 
leaves the machine, and therefore the resulting SPI of I is 
"outgoing" and R's SPI is "incoming". 

However, a question which is still open (to me) is: if there is no 
former agreement between two systems to use IPSec, but one of them 
requires, say AH for every incoming packet (what is an "incoming 
rule"), every packet without AH will be dropped silently. The 
"ignorant" sender will never get a packet to this machine. On the 
other hand, if this packet would trigger an IKE exchange (where the 
SPI-inbound/outboud relation is opposite now) this could be an entry 
for DoS-attacks...

Kai


# Kai Martius                                                           #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology  #
# PGP Fingerprint: to be compared after download of my key              #
# Key and more info (especially IP-security related) see my Homepage    #
# http://www.imib.med.tu-dresden.de/imib/personal/kai.html              #