[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Intermediate SA - was Re: Routing
Message authorized by:
: email@example.com@INTERNET at #EMAIL
>I do not see any reason why the specs should prohibit an intermediate
>router from being party to a Security Association between two other
>systems (call them S and D) as long as those systems (S and D) choose
>to let that router be party to their Security Association.
I agree even though I believe the use of intermediate routers sharing a SA
between two end systems is suspect. Other techniques (like multiple pair-wise
SAs) could be used to meet the same requirement. However, since the IAB
workshop documented this approach we should include it as one of the ways an SA
can be established.
What if we treat the "intermediate router SA" as one ways that SAs can have
more than two participants. A "intermediate router SA" must use the same
mechanisms for shared SAs as broadcast or muliticast traffic since the usual
pair-wise negotiations will not guarantee uniqueness.
---- possible specification text ----
SA Security Association
SAID Security Association IDentifier
An SA consists of attributes shared between two or more security systems. A SA
shared between two systems provides "pair-wise" security. A SA can also be
established between multiple security systems to support broadcast traffic or
multicast communications. Intermediate systems may also share a SA between
other systems. This arrange might be of use [reference IAB report] to support
authenticated traffic traversing a Firewall.