[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) out-of-band key management is like virtual ...
Perry:
>> Multicast Security Associations (SAs) cannot be managed in the same way as
>> peer-to-peer SAs. Given this, the SAID should have some structure to
>> easily separate the multicast SAs from the peer-to-peer ones.
>
>That is hardly obvious, and conflicts with the mechanisms described in
>the drafts.
>
>As clearly described in the drafts, SAIDs are assigned at the pleasure
>of the entity controlling the destination address. The us of "entity
>controlling" rather than "destination host" was deliberate -- it was
>there because of multicast.
I agree that the SAID must me assigned by the entity controlling the
destination address. In fact, this is exactly my point. Key management
will do something different to establish a security association for two
IPSP peers than to establish a multicast security association.
The IPSP processing may well be identical once those security associations
are in place.
Russ