[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA identification



In message <p05010401b6dfaec6aa35@[128.33.238.44]>, Stephen Kent writes:
>During Teusday's HIP BOF , JI raised a question that I had begun to 
>contemplate while working on revising 2401: why do we need three 
>values to identify an SA for incoming IPsec traffic? We currently 
>require matching on protocol (AH vs. ESP), SPI, and destination 
>address.  It's clear that the protocol input can be made redundant by 
>assigning SPIs without protocol specificity. Some mobility problems 
>could be addressed if we ignored destination address. So, I have two 
>questions for the list:
>
>	- do we have any examples of plausible scenarios where we 
>need the destination address as a discriminator for inbound traffic 
>(inn addition to the SPI)?
>
>	- how strongly would vendors feel about changing the spec to 
>remove the requirement to match on all 3 values noted above?
>
>Note that SA identification is a local matter for an IPsec receiver, 
>and thus it should be possible for a receiver to use just the SPI 
>just through appropriate management of that space. So the question is 
>really whether anyone manages SPIs in a fashion that relies on using 
>the other two values for differentiation.

The usual answer is that multicast needs it.  Now that we have a 
multicast security group, this may be more important.

I agree, though, that the 3-tuple requirement is annoying.  And I 
suspect that people would not like the answer "use a 3-tuple for 
multicast, but a pair for unicast".

		--Steve Bellovin, http://www.research.att.com/~smb




Follow-Ups: