[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Intermediate SA - was Re[2]: Routing



Message authorized by:
    : rja@bodhi.nrl.navy.mil@INTERNET at #EMAIL

Ran,

>I do not see any reason why the specs should prohibit an intermediate
>router from being party to a Security Association between two other
>systems (call them S and D) as long as those systems (S and D) choose
>to let that router be party to their Security Association.

I agree even though I believe the use of intermediate routers sharing a SA 
between two end systems is suspect.  Other techniques (like multiple pair-wise 
SAs) could be used to meet the same requirement.  However, since the IAB 
workshop documented this approach we should include it as one of the ways an SA 
can be established.

What if we treat the "intermediate router SA" as one ways that SAs can have 
more than two participants.  A "intermediate router SA" must use the same 
mechanisms for shared SAs as broadcast or muliticast traffic since the usual 
pair-wise negotiations will not guarantee uniqueness.

Paul


    ---- possible specification text ----

Glossary Terms

  SA       Security Association
  SAID     Security Association IDentifier

An SA consists of attributes shared between two or more security systems.  A SA 
shared between two systems provides "pair-wise" security.  A SA can also be 
established between multiple security systems to support broadcast traffic or 
multicast communications.  Intermediate systems may also share a SA between 
other systems.  This arrange might be of use [reference IAB report] to support 
authenticated traffic traversing a Firewall.