[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual ...

Perry (et al.),

In the discussions of SAID "structure" there are a couple of cases
which I haven't been able to reconcile.  I agree that in general,
SAIDs are assigned by the destination for unicast traffic.  This
doesn't seem to always translate to multicast traffic.  The secured
PDU being sent to a multicast group contains a single SAID.  Further,
the membership in a such a group may be dynamic over time.
Consequently, it seems that in some cases, I (a recipient) will join a
secure multicast group and be TOLD the SAID.  This is no longer a
destination assigned SAID (it is also unclear whether at group
establishment the SAID is "negotiated" among all parties or assigned
by the group "master").  In such a case, absent any structure to the
SAID, it is possible that it will collide with an SAID I have
assigned.  I thought it was this case that argued for some bit (either
"originator assigned" or "multicast group") in the SAID.

Without such a designator, how do you expect to handle these


> Date:    Tue, 07 Mar 95 18:13:24 EST
> From:    "Perry E. Metzger" <perry@imsi.com>
> Subject: Re: (IPng) out-of-band key management is like virtual ... 
> In-Reply-To: Your message of "Tue, 07 Mar 1995 14:46:01."
> 	 <9502077946.AA794616361@spysouth.spyrus.com> 
> "Housley, Russ" says:
> > >As clearly described in the drafts, SAIDs are assigned at the pleasure 
> > >of the entity controlling the destination address. The us of "entity 
> > >controlling" rather than "destination host" was deliberate -- it was 
> > >there because of multicast.
> > 
> > I agree that the SAID must me assigned by the entity controlling the 
> > destination address.  In fact, this is exactly my point.  Key management 
> > will do something different to establish a security association for two 
> > IPSP peers than to establish a multicast security association.
> > 
> > The IPSP processing may well be identical once those security associations 
> > are in place.
> If you agree with that, then you are necessarily supporting the point
> that structured SAIDs are not needed for multicast.
> .pm

Follow-Ups: References: