Consider the example in section 3.3 of IKEv2bis, which I've edited for
brevity:
SA Payload
|
+--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
| | 7 transforms, SPI = 0x052357bb )
(either way for ESN, three CBC ciphers, two hashes)
+--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
| 4 transforms, SPI = 0x35a1d6f2 )
(either way for ESN, two GCM ciphers)
the example shows two distinct SPI values.
Is it *required* that the SPI values be different? For example, PF_KEY has
SADB_GETSPI which merely reserves an inbound SPI value, without ANY other
properties attached. IN theory, given the above example, I could instead
issue:
SA Payload
|
+--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
| | 7 transforms, SPI = 0x052357bb )
(either way for ESN, three CBC ciphers, two hashes)
+--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
| 4 transforms, SPI = 0x052357bb )
(either way for ESN, two GCM ciphers)
since I merely did a GETSPI which reserved 0x052357bb.
Thanks,
Dan
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
