> The SPI doesn't have the semantics.
>
> => I disagree, the SPI has the semantics we'd like to give to it.
When reasonable key management protocols are in use, IPSEC SPI's are
pseudo-random, chosen by the receiver, and securely communicated to
the sender via the key management protocol.
The use of random spi's is one of the defenses against off-path
denial-of-service attacks.. an off-path attacker forging source
addresses cannot easily guess a valid SPI, and so packets with invalid
SPI's can be quickly discarded without requiring any cryptographic
processing.
What semantics do you think you can impose on something like that?
- Bill
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
- RE: Usage of IPv6 flow label Thomas Eklund
- RE: Usage of IPv6 flow label Michael Thomas
- Re: Usage of IPv6 flow label Brian E Carpenter
- Re: Usage of IPv6 flow label Jim Bound
- Re: Usage of IPv6 flow label Jim Bound
- Re: Usage of IPv6 flow label Brian E Carpenter
- RE: Usage of IPv6 flow label Christian Huitema
- Re: Usage of IPv6 flow label Brian E Carpenter
- Re: Usage of IPv6 flow label Francis Dupont
- Re: Usage of IPv6 flow label Brian E Carpenter
- Re: Usage of IPv6 flow label Bill Sommerfeld
- Re: Usage of IPv6 flow label Brian E Carpenter
- Re: Usage of IPv6 flow label Francis Dupont
- Re: Usage of IPv6 flow label Bill Sommerfeld
- Re: Usage of IPv6 flow label Brian E Carpenter
- Re: Usage of IPv6 flow label Brian E Carpenter
- Re: Usage of IPv6 flow label Jim Bound
- Re: Usage of IPv6 flow label Francis Dupont
- Re: Usage of IPv6 flow label itojun
- Re: Usage of IPv6 flow label Francis Dupont
- Re: Usage of IPv6 flow label Brian E Carpenter
