Re: On the Use of SCTP with IPsec

["Randall R. Stewart" <rrs@cisco.com>]

"Steven M. Bellovin" wrote:
 > 
 > In message <3A952EC3.E8FB436D@cisco.com>, "Randall R. Stewart" writes:
 > 
 > >> Fourth, do you have an idea how typical SCTP policies/
 > >> selectors look like? Are they protocol and port
 > >> specific, or is everything from the particular addresses
 > >> covered by the SAs? If former, is SCTP relying on
 > >> ICMP in any way?
 > >>
 > >
 > >I don't know what a policy selector looks like for SCTP :)
 > >But yes SCTP does rely on ICMP for Path MTU discovery ... just
 > >like TCP.. This is the only place where SCTP uses ICMP though...
 > >
 > 
 > Let me translate here...
 > 
 > The selector is used to decide what packets are encrypted under what
 > SA.  With TCP, the standard selectors are source address, dest address,
 > source port, dest port, protocol type, user name, and security label.
 > The question is whether or not SCTP requires any further criteria.
 > I don't know of any -- I can't see any reason to use different SAs for
 > different substreams within an SCTP connection, for example.
 > 
 >                 --Steve Bellovin, http://www.research.att.com/~smb
Steve:

Thanks for the translation.. with that definition and translation.. I
see no need for more than what you just listed...

R
-- 
Randall R. Stewart
Systems & Solutions Engineering
Cisco Systems Inc.
rrs@cisco.com 815-342-5222 or 815-477-2127

---

References:

• Re: On the Use of SCTP with IPsec
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: On the Use of SCTP with IPsec
• Next by Date: Re: exchange type 6?
• Prev by thread: Re: On the Use of SCTP with IPsec
• Next by thread: Re: On the Use of SCTP with IPsec
• Index(es):
  • Main
  • Thread