Hi, I have a question regarding devices that are not able to randomly generate SPI, but instead store fix values. The question is how much fix values could be provisioned.
For unicast communications, a single SPI can be used over multiple nodes as long as the remote peer, as long as both nodes uses IP addresses and SPI to index the SAs. With the transport mode, the number of SPI is equivalent to the number of hosts, while with tunnel mode, the number of SPI is equivalent to the number of tunnels. For that reason I would recommend that a minimal implementation supporting unicast only has as many SPI values as ESP session per host or per security gateways, and that lookup includes the IP addresses. However this would not work with a security gateway that performs lookup only based on the SPI. Such security gateway would still be ESP.compliant. Does it sounds reasonable that security gateways implements the longest match lookup or at least lookup considering IP addresses ? Yours, Daniel On Mon, Mar 13, 2017 at 9:58 AM, Daniel Migault <[email protected] > wrote: > Hi, > > Please find an update of a guidance for light implementation of standard > ESP. Feel free to comment! > > Yours, > Daniel > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, March 13, 2017 9:57 AM > To: Tobias Guggemos <[email protected]>; Daniel Migault < > [email protected]> > Subject: New Version Notification for draft-mglt-lwig-minimal-esp-04.txt > > > A new version of I-D, draft-mglt-lwig-minimal-esp-04.txt > has been successfully submitted by Daniel Migault and posted to the IETF > repository. > > Name: draft-mglt-lwig-minimal-esp > Revision: 04 > Title: Minimal ESP > Document date: 2017-03-13 > Group: Individual Submission > Pages: 10 > URL: https://www.ietf.org/internet-drafts/draft-mglt-lwig- > minimal-esp-04.txt > Status: https://datatracker.ietf.org/doc/draft-mglt-lwig-minimal- > esp/ > Htmlized: https://tools.ietf.org/html/draft-mglt-lwig-minimal-esp-04 > Diff: https://www.ietf.org/rfcdiff?url2=draft-mglt-lwig-minimal- > esp-04 > > Abstract: > This document describes a minimal version of the IP Encapsulation > Security Payload (ESP) described in RFC 4303 which is part of the > IPsec suite. > > ESP is used to provide confidentiality, data origin authentication, > connectionless integrity, an anti-replay service (a form of partial > sequence integrity), and limited traffic flow confidentiality. > > This document does not update or modify RFC 4303, but provides a > compact description of how to implement the minimal version of the > protocol. If this document and RFC 4303 conflicts then RFC 4303 is > the authoritative description. > > > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ Lwip mailing list [email protected] https://www.ietf.org/mailman/listinfo/lwip
