Re: Notes about identifier - locator separator

[RJ Atkinson <rja@extremenetworks.com>]

On Sunday, Nov 3, 2002, at 08:26 America/Montreal, Masataka Ohta wrote:
> > The key here is state.  If the middle box or the receiver
> > has state (e.g. a cryptographic key or a communication context),
> > it can check that the arriving packet indeed contains or
> > implies a known long lasting identifier, and act accordingly.
> > However, parties that do not have that state cannot find
> > out the long lasting identifiers.
> For a receiver to retrieve an appropriate cryptographic key or
> a communication context for a packet, a long lasting ID in clear
> text, as an index to the long lasting database of key or context,
> must be carried by the packet.
SPIs in ESP/AH are examples of IDs contained in a packet used
as an index to the Security Association state.  SPIs are not
normally long-lasting -- typically only valid for the lifetime
of the SA (plus epsilon).  Any sane key management strategy
involves changing *session* keys *at least* every 24 hours,
even for very strong cryptographic algorithms.

So the claim above is bogus (or poorly written).

Ran