Re: [IPsec] diet-esp - How do you know?

Tue, 24 May 2022 09:14:52 -0700 

Scott,
That is my question/point.  And if I understand diet-esp and lsb, then the 8-bit SPI maps to the full SPI in the SA is xxxxxx07? 


Ah, the *Receiver* picks the incoming SPIs.  It has been so many years 
since I looked into the protocol/code that I lost sight of this.  I had 
it reversed.  Thus the receiver MUST be careful in selecting its 
incoming SPIs such that there is no collision.


The draft needs to spell this out.


And for a UAS Network Remote ID Service Provider, it would use a 2-byte 
transmitted SPI to allow for a reasonable number of UAS in service at 
any time...


On 5/24/22 11:30, Scott Fluhrer (sfluhrer) wrote:



I believe that the question is “when someone receives an IPsec packet, 
how do they determine the SA, assuming that they have negotiated both 
standard SAs (with 32 bit SPIs), and diet-esp (with shorter SPIs).”



My initial assumption was that, as the receiver picks its incoming 
SPIs, that they pick them to allow unambiguous lookup.  For example, 
if a diet-esp inbound SA has an 8 bit SPI of 07, that means that the 
implementation ensures that it does not have any standard inbound SAs 
with SPIs of the form 07xxxxxxxx.



It might not be totally unreasonable if the diet draft spelled out a 
method for achieving this…


*From:* IPsec <ipsec-boun...@ietf.org> *On Behalf Of *Paul Wouters
*Sent:* Tuesday, May 24, 2022 11:14 AM
*To:* Robert Moskowitz <rgm-...@htt-consult.com>
*Cc:* IPsecME WG <ipsec@ietf.org>
*Subject:* Re: [IPsec] diet-esp - How do you know?


On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz 
<rgm-...@htt-consult.com> wrote:


    I think there is something else I am missing here.

    How does the receiving system 'know' that the packet is a diet-esp
    packet?

https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02

It's negotiated with IKEv2.


I guess the IKE stack has to signal this to the ESP implementation on 
what to expect when


the policy is installed ?

Paul


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec






















					Reply via email to