Cryptography Reference
In-Depth Information
1.
Security Parameter Index (SPI)
: This 32-bit value is the unique identi-
fier of the SA, chosen by the receiver of the SA. If the SAD entry is for an
outbound SA, the SPI is used to build the packet's AH or ESP header. In
the case of a SAD entry for an inbound SA, the SPI is employed to assign
traJc to the suitable SA.
2.
Sequence Number Counter (SNC)
: This is either a 64-bit or a 32-bit
value that is employed to generate the Sequence Number Field in either
AH or ESP headers. The default is a 64-bit but a 32-bit may be negotiated.
3.
Sequence Counter Overflow
: This is a flagsignifyingwhether overflow
of the SNC should generate an auditable event, thereby preventing the
sendingof any more packets on the SA (but rollovers may be permitted).
4.
Antireplay Window
: This is a 64-bit counter and a bit map used to indi-
cate whether an inbound (AH or ESP) packet is a replay. Accommodation
for 32-bit numbers are made, but the default is 64-bit. It is possible for the
receiver, in certain situations, to disable antireplay. If so, the Antireplay
Window is ignored for this SA.
5.
AH Authentication Algorithm
: These are parameters associated with
the use of AH, which include keys and their lifetimes. Of course, this
parameter is required only if AH is supported.
6.
ESP Encryption Algorithm
: These are parameters related to the use of
ESP such as keys and mode.
7.
ESP Integrity Algorithm
: This involves the keys and other parameters
involved in ESP integrity, but if this service is not chosen, these will be
null fields.
8.
ESP Combined Mode Algorithm
: In this case, the keys, and so on, as
are chosen above, but only if both encryption and integrity are selected
to be used with ESP.
9.
Lifetime of this SA
: Typically this parameter is a byte count that
specifies the life span of the SA, and upon completion of that duration
of use, the SA either (1) must be replaced by a new SA with a new SPI,
or (2) terminated. This parameter includes an indication as to which of
(1) or (2) should occur. This parameter may also be expressed as a time
count, and any compliant implementation MUST support both types of
lifetimes, as well as simultaneous use of both. Furthermore, if the packet
does not get delivered during the lifetime of the SA, the packet SHOULD
be discarded.
10.
IPSec Protocol Mode
: This is a choice of tunnel or transport, which
indicates which mode of AH or ESP is applied to traJc on this SA.
Search WWH ::
Custom Search