[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-des-md5-00.txt
hughes@hughes.network.com wrote :
> .....
> I can add this to the esp, just like dumbing the keys up was.
>
> After thinking aobut it, I just need something, anything to break a tie for
> picking a forward and a reverse direction. A flag as to if I am the initiator
> or responder? IP address? Lower SPI? Anyway, if there is a way, I can dumb-up a
> few more keys for directionality?
>
> Comments?
>
For now, I am using addresses. But addresses may not work if NAT
(network address translation) is used. SPI may be a candiate, but
the two sides may choose the same SPI value. Perhaps this problem
should be resolved at IKMP layer rather than at IPSEC layer ?
The only thing the IKMP layer needs to do is to give IPSEC layer
a 1-bit flag to indicate direction.
I know that <I-cookie, R-cookie> and <R-cookie, I-cookie> pairs
can be used to derive 2 uni-directional keys. But can IPSEC assumes
cookies will always be used ?
Regards, Pau-Chen
Follow-Ups: