[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual ...

solo@BBN.COM says:
> The secured PDU being sent to a multicast group contains a single
> SAID.  Further, the membership in a such a group may be dynamic over
> time.  Consequently, it seems that in some cases, I (a recipient)
> will join a secure multicast group and be TOLD the SAID.  This is no
> longer a destination assigned SAID (it is also unclear whether at
> group establishment the SAID is "negotiated" among all parties or
> assigned by the group "master").

In the document it is clearly stated that the SAID is assigned at the
pleasure of the entity controlling the destination address, and not
necessarily the hosts that use that destination address.

The proposed multicast key management protocols that have been
discussed thus far seem to deal with this just fine -- without
needing structured SAIDs.

> I thought it was this case that argued for
> some bit (either "originator assigned" or "multicast group") in the

I fail to see how such a bit would in practice alter the way that IPSP
deals with packets, so I fail to see what its purpose would be.

SAIDs are negotiated OUT OF BAND. Once they are assigned and set up in
a kernel processing is the same regardless of where they came from. In
a reasonable implementation, SAIDs are destination address dependent
so that even if you don't control the destination address (i.e. you
are in a multicast group) provided someone controls the assignment of
SAIDs for that destination you are fine and no conflicts will arise.