[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual ...

To: perry@imsi.com
Subject: Re: (IPng) out-of-band key management is like virtual ...
From: solo@BBN.COM
Date: Wed, 08 Mar 95 08:33:56 -0500
Cc: "Housley, Russ" <housley@spyrus.com>, ipsec@ans.net, solo@BBN.COM
In-Reply-To: Your message of Tue, 07 Mar 95 18:13:24 -0500. <199503072315.AA10955@interlock.ans.net>


Perry (et al.),

In the discussions of SAID "structure" there are a couple of cases
which I haven't been able to reconcile.  I agree that in general,
SAIDs are assigned by the destination for unicast traffic.  This
doesn't seem to always translate to multicast traffic.  The secured
PDU being sent to a multicast group contains a single SAID.  Further,
the membership in a such a group may be dynamic over time.
Consequently, it seems that in some cases, I (a recipient) will join a
secure multicast group and be TOLD the SAID.  This is no longer a
destination assigned SAID (it is also unclear whether at group
establishment the SAID is "negotiated" among all parties or assigned
by the group "master").  In such a case, absent any structure to the
SAID, it is possible that it will collide with an SAID I have
assigned.  I thought it was this case that argued for some bit (either
"originator assigned" or "multicast group") in the SAID.

Without such a designator, how do you expect to handle these
cases?

Dave

> Date:    Tue, 07 Mar 95 18:13:24 EST
> From:    "Perry E. Metzger" <perry@imsi.com>
> Subject: Re: (IPng) out-of-band key management is like virtual ... 
> 
> In-Reply-To: Your message of "Tue, 07 Mar 1995 14:46:01."
> 	 <9502077946.AA794616361@spysouth.spyrus.com> 
> "Housley, Russ" says:
> > >As clearly described in the drafts, SAIDs are assigned at the pleasure 
> > >of the entity controlling the destination address. The us of "entity 
> > >controlling" rather than "destination host" was deliberate -- it was 
> > >there because of multicast.
> > 
> > I agree that the SAID must me assigned by the entity controlling the 
> > destination address.  In fact, this is exactly my point.  Key management 
> > will do something different to establish a security association for two 
> > IPSP peers than to establish a multicast security association.
> > 
> > The IPSP processing may well be identical once those security associations 
> > are in place.
> 
> If you agree with that, then you are necessarily supporting the point
> that structured SAIDs are not needed for multicast.
> 
> .pm

Follow-Ups:

Re: multicasting & SAIDs

From: Ran Atkinson <rja@bodhi.itd.nrl.navy.mil>

References:

Re: (IPng) out-of-band key management is like virtual ...

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: (IPng) Re: out-of-band key management is like virtual circuits
Next by Date: Re: (IPng) Re: out-of-band key management is like virtual circuits
Prev by thread: Re: (IPng) out-of-band key management is like virtual ...
Next by thread: Re: multicasting & SAIDs
Index(es):
- Main
- Thread