[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) out-of-band key management is like virtual ...
Perry (et al.),
In the discussions of SAID "structure" there are a couple of cases
which I haven't been able to reconcile. I agree that in general,
SAIDs are assigned by the destination for unicast traffic. This
doesn't seem to always translate to multicast traffic. The secured
PDU being sent to a multicast group contains a single SAID. Further,
the membership in a such a group may be dynamic over time.
Consequently, it seems that in some cases, I (a recipient) will join a
secure multicast group and be TOLD the SAID. This is no longer a
destination assigned SAID (it is also unclear whether at group
establishment the SAID is "negotiated" among all parties or assigned
by the group "master"). In such a case, absent any structure to the
SAID, it is possible that it will collide with an SAID I have
assigned. I thought it was this case that argued for some bit (either
"originator assigned" or "multicast group") in the SAID.
Without such a designator, how do you expect to handle these
> Date: Tue, 07 Mar 95 18:13:24 EST
> From: "Perry E. Metzger" <email@example.com>
> Subject: Re: (IPng) out-of-band key management is like virtual ...
> In-Reply-To: Your message of "Tue, 07 Mar 1995 14:46:01."
> "Housley, Russ" says:
> > >As clearly described in the drafts, SAIDs are assigned at the pleasure
> > >of the entity controlling the destination address. The us of "entity
> > >controlling" rather than "destination host" was deliberate -- it was
> > >there because of multicast.
> > I agree that the SAID must me assigned by the entity controlling the
> > destination address. In fact, this is exactly my point. Key management
> > will do something different to establish a security association for two
> > IPSP peers than to establish a multicast security association.
> > The IPSP processing may well be identical once those security associations
> > are in place.
> If you agree with that, then you are necessarily supporting the point
> that structured SAIDs are not needed for multicast.