Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > 1998-summer > 98 > 090375.html (Request Expert lists.freeswan.org Support)

linux-ipsec: SA notation

From: Henry Spencer <henry(at)spsystems.net>
Date: Tue Sep 29 1998 - 17:01:19 EDT


The FreeS/WAN user-level code currently refers to SAs by giving the address and SPI as separate arguments. This is less than ideal, and will get more so when we start having multiple SPI number spaces, as the standard requires.

(For incoming connections, we pick the SPIs, and we can simply avoid
collisions. But for outgoing connections, the other end picks the SPIs, and it is within its rights to use the same number for separate AH and ESP SAs, because AH SPIs are in a different number space from ESP SPIs. This is why the drafts say that an SA is identified by address, SPI, *and* protocol.)

(As a separate issue, we have internal fake SAs for the tunneling aspect
of outgoing connections... and we have no way to ask the other end to supply us with legitimate SPIs for those. The simplest way to solve this, if we're doing separate AH and ESP number spaces anyway, is to put these fake SAs in a third SPI number space.)

This ties in with some past thoughts about terser notations for SA specifiers. The latest snapshot includes experimental library functions, atosa() and satoa(), for converting from and to a vaguely mail-like SA specifier syntax: "esp507@1.2.3.4" means protocol ESP, SPI 507, address 1.2.3.4. These are very much tentative, and nothing uses them yet. Comments on the syntax and the functions are welcome, indeed encouraged.

(At the moment, the to-ASCII function puts the SPI number in hex, so the
above example turns into "esp0x1fb@1.2.3.4" on output. This is because we've got an accidental tradition of using hex numbers for SPIs, and the transition to the new notation is likely to go more smoothly if the base stays consistent. If and when everything is converted, the to-ASCII function will be fixed to use decimal.)

This will obviously mean some changes in the user interfaces of the utilities. However, this will be hidden from anyone who is using the "ipsec manual" command instead of building his own setup sequences by hand
(hint, hint :-)). 

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)
Received on Tue Sep 29 18:02:10 1998

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:26 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library