There is this myth going around that you can't distinguish ESP traffic by any external means, but that of course can't be true or you couldn't figure out which keys to use to decrypt the traffic. The SPI distinguishes the use of a particular keyset, and our usual dogma in the IPSEC world is that you should try to avoid re-using keys across flows, so in fact ESP traffic is not opaque for purposes of distinguishing flows. The SPI will generally represent a flow (except in the VPN case which has a myriad of its own problems.)
-- Perry E. Metzger [EMAIL PROTECTED] -- NetBSD Development, Support & CDs. http://www.wasabisystems.com/ -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
