[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: m-to-m multicast and SAs
Hi,
Not sure if I'm qualified to answer this, but having posted quite a
few cryptic messages to this list in hopes of getting good answers, I
feel I need to do something in return.. So, I try to answer
something...
> From: Thomas <tho@laser.dsi.unimi.it>
> Consider now the specular situation by which we would ensure the traffic
> generated by group members and received by m (under the same algorithm-key).
>
> m <--------------- M
> SA[3]
> Now SA[2] == SA[3] (protocol identifier and SPI are the same because ingoing
> and outgoing traffic must be processed under the same (inverted) functions,
> and destination is in both cases M)
>
> Again we have two distinct SAs (SA[2] OUTBOUND and SA[3] INBOUND) but we
> can't discern them as they correspond to the same tuplet.
Why distinct? A single SA for multicast group would work for both
receives and sends with multicast group. One could also have source
specific SA's negotiated within a multicast group, however I don't
think any one has yet thought about Key management in multicast
groups.
Your multicast host would just have policy
inbound dst=M -> Apply SA[2] (applying to inconming)
outbound dst=M -> Apply SA[2] (applying to outgoing)
inbound src=m2 dst=M -> Apply SA[4] (source specific SA)
You don't test the INBOUND and OUTBOUND status from the packet
addresses, you know it implicitly from the context (or you test the
SRC address!).
Aside from the conceptual problems in multicast key distributions and
negotiations, I don't see any problems applyinc SA's to multicast.
--
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
References: