Miika, > On 6/30/16, 1:12 AM, "Miika Komu" <miika.k...@ericsson.com> wrote: > > Is it actually a problem for the Responder that two different Initiators > happen to claim different SPIs? The Initiators have different IP > addresses (or at least UDP ports if they are behind the same NAT).
You’re right, it seems like it is not a problem for the Responder since there are different IP/ports. > It is a problem for the data relay, so the text says: > > "Upon receiving an I2 with a colliding SPI, the Responder MUST not > include the relayed address in the R2 message because the data relay > would not be able demultiplex the related ESP packet to the correct > Initiator." Does this mean the Responder should not even send the R2 message upon collision? The draft also says this: “The described collision scenario can be avoided if the Responder delivers a new relayed address candidate upon SPI collisions. Each relayed address has a separate UDP port reserved to it, so the relay can demultiplex properly conflicting SPIs of the Initiators based on the SPI and port number towards the correct Responder.” What if the Responder sends the R2 message (established state) and then immediately follows with an UPDATE packet to initiate a rekey? The rekey would cause both sides to select new SPI values. Not sure what happens if you send the R2 without the relayed address -- proper state not created on the Initiator? -Jeff _______________________________________________ Hipsec mailing list Hipsec@ietf.org https://www.ietf.org/mailman/listinfo/hipsec