Re: SA identification

[Bill Sommerfeld <sommerfeld@East.Sun.COM>]

Regardless of what you do, the destination address is an implicit
discriminator because the IP layer ensures that packets to a different
system won't make it to AH/ESP.

> 	- do we have any examples of plausible scenarios where we 
> need the destination address as a discriminator for inbound traffic 
> (inn addition to the SPI)?

Steve Bellovin also brought up the multicast case.  (I'd say
"non-unicast" rather than "multicast" since someone may want secure
anycast some day as well).

There's also the question of exactly where the SADB lies -- folks seem
to be building a fair number of "non-traditional" hosts -- whether
hosting multiple virtual hosts inside a single computer, or
load-spreading a single destination address across many computers.  No
doubt someone's eventually going to want to do both of the above
simultaneously.

> 	- how strongly would vendors feel about changing the spec to 
> remove the requirement to match on all 3 values noted above?

Our implementation allows SA's to be specified with a wildcarded
destination.

I'd oppose removing protocol as a discriminator for inbound SA lookup.

> Note that SA identification is a local matter for an IPsec receiver, 
> and thus it should be possible for a receiver to use just the SPI 
> just through appropriate management of that space. So the question is 
> really whether anyone manages SPIs in a fashion that relies on using 
> the other two values for differentiation.

Our implementation has separate loadable modules (and separate tables)
for ESP vs. AH SA's.

						- Bill

---

Follow-Ups:

• Re: SA identification
• From: Stephen Kent <kent@bbn.com>

References:

• SA identification
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: SA identification
• Next by Date: Death to AH (was Re: SA identification)
• Prev by thread: Re: SA identification
• Next by thread: Re: SA identification
• Index(es):
  • Main
  • Thread