[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: multicasting & SAIDs
[The subject line was edited to be more accurate. :-]
Folks,
The SAID is _never_ a unique identifier BY ITSELF. It is _always_
interpreted _in the context of the Destination Address_, so there is
no possibility of conflict. All systems must use the PAIR of (SAID +
Destination Address) to determine the appropriate Security Association
and all systems must ALWAYS use this method. By the way, this scheme
works really nicely with Patricia Trees such as are implemented in
BSD's radix.c code.
So, let me try to illustrate by using one of the recently posted
examples. Assume some system with a single physical interface having
interface address A. Now assume that this same system is a receiver
for multicast group M (i.e. M will be the Destination Address for
multicast packets to that group). Now if the system has assigned a
unicast Security Association having an SAID with value N and the
multicast group is using a different Security Association having a
SAID with value N. The system gets an incoming packet and that packet
has SAID with value N, there is still no conflict or uncertainty of
any kind because _in all cases_ the system uses the PAIR of SAID and
Destination Address to locate the Security Association. The
Destination Addr for unicast packets in this example will be A and the
Destination Addr for multicast packets in this example will be M.
In IPv4 land, M will be a Class D address and A cannot be a Class D
address so there is no potential for conflict. In IPv6 land, there
are no "classes" (A, B, C, D, or E) but there is a unique prefix for
all multicast addresses so there is still no potential for conflict.
If someone still thinks there is a potential for conflict, please be
detailed in providing a counter-example so that we can try to
identify/resolve this matter.
Thank you,
Ran
atkinson@itd.nrl.navy.mil
References: