[anonsec] 3401 and highjacking
kent at bbn.com
Thu Feb 23 15:07:01 PST 2006
>> This almost sounds like a MIDCOM-style solution. I think this would
>> be a very big change to the current IPsec architecture, probably out
>> of scope for this WG.
>I agree, however I wonder if that sort of issue was already present in
>the BITW variants in 4301 anyway (to ensure, e.g., that packets arriving
> on different links with the same IP address didn't collide on SPI
This might be a problem if each interface had a distinct IPsec
implementation, not just a distinct SPD. However, I know of no such
devices, and thus no instances of problems of this sort. With just
one SAD for a BITW device, SPI assignment is centralized and thus the
problem you cite is avoided.
More information about the ANONSEC