Re: Sharing SAs in the multi-sender environment

[Stephen Kent <kent@bbn.com>]

At 1:46 PM +0200 2/14/01, juha.ollila@nokia.com wrote:
>	Hello!
>
>Is there any standardized or non-standardized way to share a single SA in
>the multi-sender environment? There are some problems (e.g. lack of
>anti-replay protection) with sharing SAs between several senders, but
>sharing SAs could be useful if there are several security gateways in the
>same security or administrative domain. Is there any problem with sharing a
>single SA between several receivers? Would someone help me with this issue?
>Thanks in advance.
>

Senders do not share unicast SAs: the keying material for an SA is 
assumed to be private to the end points of the SA, and we have no 
means of securely sharing keys among multiple originators. Also, as 
you noted, each sender is REQUIRED to send a "one-up" sequence 
number, which they cannot do without some magic coordination. For 
receivers, the problem is even harder, because receivers not only 
would need to share the keys, but also would need to coordinate SA 
SPIs, which are receiver controlled, and sequence number management.

Multicast will need to address these problems.  Look to that WG to 
propose solutions, e.g., MESP.

Steve

---

Follow-Ups:

• Re: Sharing SAs in the multi-sender environment
• From: Shane Amante <shane@amante.org>

References:

• Sharing SAs in the multi-sender environment
• From: juha.ollila@nokia.com

---

• Prev by Date: I-D ACTION:draft-ietf-ipsec-isakmp-di-mon-mib-03.txt
• Next by Date: RE: Sharing SAs in the multi-sender environment
• Prev by thread: Sharing SAs in the multi-sender environment
• Next by thread: Re: Sharing SAs in the multi-sender environment
• Index(es):
  • Main
  • Thread