[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Outbound interface as a selector (revisited)

To: ipsec@lists.tislabs.com
Subject: Outbound interface as a selector (revisited)
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Thu, 21 Oct 1999 16:57:30 -0700 (PDT)
Sender: owner-ipsec@lists.tislabs.com

I want to clarify what I'm seeking with an example.

Consider two multicast SAs (I'm using IPv6 as an example, substitute 224.0.0.1
if you're a real IPv6-hater) on a multi-homed host or a router:

	SPI = 0xdeadbeeef
	dst = ff02::1
	authalg = MD5
	authkey = <something>

	    | qfe2
	+---+----+
	| Router |
	+---+----+
	    | qfe1

	SPI = 0xfeedface
	dst = ff02::1
	authalg = MD5
	authkey = <something else>

Now let's say that 0xfeedface is for one of the routers interfaces (call it
qfe1), and that 0xdeadbeef is for another router's interface (call it qfe2).
I have no real way of knowing that unless I can select the appropriate SA
based on the interface.

Likewise, on inbound packets, I should only accept ff02::1 packets from the
0xdeadbeef SA iff it arrives on interface qfe2.

I'd like to have something indicating a LINK ID for SA selection.  And I say
LINK ID instead of interface ID, because I may have a fault-tolerant
implementation such that...

	qfe2 | | qfe3
	+----+-+-+
	| Router |
	+----+-+-+
	qfe0 | | qfe1

where qfe0-1 are on the same physical link, and qfe2-3 are also on the same
physical link.

Dan

p.s. This is prelude to something else I'll be mailing to this list and the
     IPng list.

Prev by Date: Shared Secret mismatch in AM3/MM5
Next by Date: Re: CRACK
Prev by thread: Re: Shared Secret mismatch in AM3/MM5
Next by thread: RE: Outbound interface as a selector (revisited)
Index(es):
- Main
- Thread