[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual ...




Perry:

>> Multicast Security Associations (SAs) cannot be managed in the same way as 
>> peer-to-peer SAs.  Given this, the SAID should have some structure to 
>> easily separate the multicast SAs from the peer-to-peer ones.
>
>That is hardly obvious, and conflicts with the mechanisms described in 
>the drafts.
>
>As clearly described in the drafts, SAIDs are assigned at the pleasure 
>of the entity controlling the destination address. The us of "entity 
>controlling" rather than "destination host" was deliberate -- it was 
>there because of multicast.

I agree that the SAID must me assigned by the entity controlling the 
destination address.  In fact, this is exactly my point.  Key management 
will do something different to establish a security association for two 
IPSP peers than to establish a multicast security association.

The IPSP processing may well be identical once those security associations 
are in place.

Russ