[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Corner case: Replay and INADDR_ANY src addressed SAs

To: ipsec@tis.com
Subject: Corner case: Replay and INADDR_ANY src addressed SAs
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Wed, 7 Jan 1998 13:01:08 -0800 (PST)
Sender: owner-ipsec@ex.tis.com

Hello!

I've found an interesting corner case that's almost-but-not-quite nailed in
the specs.

Consider an SA with a source address of INADDR_ANY (or IN6ADDR_ANY for IPv6
fans in the audience).  Since SAs are keyed off of <proto, dstaddr, SPI>, the
source address can be unspecified.  The normal usage for such SAs are
multicast and (gag) broadcast.  It is possible, however, to have an SA with
an unspecified source address and a unicast destination.

The spec says that replay protection should be disabled for multicast SAs.
What about unicast SAs that have multiple senders?  Likewise, if a multicast
SA only has one sender, replay protection should be able to work alright.

Yes it's a corner case, but it's looking like the smart thing to do is check
replay:

	a.) If enabled on the SA
and	b.) Integrity is enabled (always true for AH, sometimes true for ESP)
and	c.) If there's a _specific_ source address tied to the SA

Am I missing something here?

--
Daniel L. McDonald  -  Solaris Internet Engineering  ||  MY OPINIONS ARE NOT
Mail: danmcd@eng.sun.com, danmcd@kebe.com <*>        ||  NOT NECESSARILY SUN'S!
Phone: (650) 786-6815            |"rising falling at force ten
WWW: http://www.kebe.com/~danmcd | we twist the world and ride the wind" - Rush

Prev by Date: ANX bakeoff info
Next by Date: implicit padding for authentication
Prev by thread: ANX bakeoff info
Next by thread: implicit padding for authentication
Index(es):
- Main
- Thread