[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC1108 vs SAID



IPSECers:

Remember how we got here?  There was a question about whether or not IPSP
needed an SAID or whether the IP address pair could be used instead.  The
security label issue was brought up as one example showing that an SAID is
required and that the IP address pair is insufficient.  Based on this example,
some folks are suggesting that this is a military requirement, not a commercial
one.

Le me suggest another example that has a commercial flavor (and a military one
too).

Assume that there is alot of traffic flowing between two hosts, and that the
traffic falls into four categories:
  1.  Requires no protection.
  2.  Requires protection from disclosure.
  3.  Requires protection from modification.
  4.  Requires protection from disclosure and modification.

IPSP is not needed for category 1, but it should be able to support categories
2, 3, and 4 simultaneously.  The IP address pair does not provide enough
information for the destination host to determine how to process the IPSP
packet (decrypt, ICV check, or both).  The SAID provides the missing
information.

Anyway, we now have two examples where IP address pair is insufficient:
security labels and security services.  Two examples should be enough to show
that an SAID should be included in IPSP.  I recommend that we used a 32 bit
SAID.  The IEEE 802.10 Secure Data Exchange (SDE) protocol uses a 32 bit SAID,
and the high order bit is used to distinguish between pairwise SAIDs and
multicast SAIDs.  If we intend to support IP multicast, then I suggest that we
adopt this convention too.

Russ


Follow-Ups: References: