I believe that the question is “when someone receives an IPsec packet, how do they determine the SA, assuming that they have negotiated both standard SAs (with 32 bit SPIs), and diet-esp (with shorter SPIs).”
My initial assumption was that, as the receiver picks its incoming SPIs, that they pick them to allow unambiguous lookup. For example, if a diet-esp inbound SA has an 8 bit SPI of 07, that means that the implementation ensures that it does not have any standard inbound SAs with SPIs of the form 07xxxxxxxx. It might not be totally unreasonable if the diet draft spelled out a method for achieving this… From: IPsec <ipsec-boun...@ietf.org> On Behalf Of Paul Wouters Sent: Tuesday, May 24, 2022 11:14 AM To: Robert Moskowitz <rgm-...@htt-consult.com> Cc: IPsecME WG <ipsec@ietf.org> Subject: Re: [IPsec] diet-esp - How do you know? On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-...@htt-consult.com<mailto:rgm-...@htt-consult.com>> wrote: I think there is something else I am missing here. How does the receiving system 'know' that the packet is a diet-esp packet? https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 It's negotiated with IKEv2. I guess the IKE stack has to signal this to the ESP implementation on what to expect when the policy is installed ? Paul
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
