[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual cir

"Housley, Russ" says:
> Multicast Security Associations (SAs) cannot be managed in the same way as 
> peer-to-peer SAs.  Given this, the SAID should have some structure to 
> easily separate the multicast SAs from the peer-to-peer ones.

That is hardly obvious, and conflicts with the mechanisms described in
the drafts.

As clearly described in the drafts, SAIDs are assigned at the pleasure
of the entity controlling the destination address. The us of "entity
controlling" rather than "destination host" was deliberate -- it was
there because of multicast.

I, for one, see absolutely no reason that multicast SAs need to be
separated from normal SAs and my architecture for my implementation
has no need for such a separation -- an IPSP packet coming in is just
the same regardless of whether it was multicast or not, the crypto
algorithms are the same, etc. Only the key management system has to be
different, and as I've noted, in my system, once an SA is established
by a user level key management daemon the kernel no longer has any
care of where that SA came from.

This is a very natural fallout from the clean separation of
functionality that was proposed in the original IP security