[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA identification

To: sommerfeld@East.Sun.COM
Subject: Re: SA identification
From: Stephen Kent <kent@bbn.com>
Date: Fri, 23 Mar 2001 12:43:49 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200103221643.f2MGhF901685@thunk.east.sun.com>
References: <200103221643.f2MGhF901685@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

At 11:43 AM -0500 3/22/01, Bill Sommerfeld wrote:
>Regardless of what you do, the destination address is an implicit
>discriminator because the IP layer ensures that packets to a different
>system won't make it to AH/ESP.
>
>>	- do we have any examples of plausible scenarios where we
>>  need the destination address as a discriminator for inbound traffic
>>  (inn addition to the SPI)?
>
>Steve Bellovin also brought up the multicast case.  (I'd say
>"non-unicast" rather than "multicast" since someone may want secure
>anycast some day as well).

Good point.

>There's also the question of exactly where the SADB lies -- folks seem
>to be building a fair number of "non-traditional" hosts -- whether
>hosting multiple virtual hosts inside a single computer, or
>load-spreading a single destination address across many computers.  No
>doubt someone's eventually going to want to do both of the above
>simultaneously.

Hmmm. Had't considered that issue. In the first case, this is a 
problem if one has a single IPsec "device" serving all of the hosts 
and yet not acting as a security gateway, right? Doesn't the IP 
implementation have to be "funny" here too? In the second case, I'm 
not sure how the use of the dest IP address enters into the 
discussion. Could you elaborate?

>
>>	- how strongly would vendors feel about changing the spec to
>>  remove the requirement to match on all 3 values noted above?
>
>Our implementation allows SA's to be specified with a wildcarded
>destination.
>
>I'd oppose removing protocol as a discriminator for inbound SA lookup.
>
>>  Note that SA identification is a local matter for an IPsec receiver,
>>  and thus it should be possible for a receiver to use just the SPI
>>  just through appropriate management of that space. So the question is
>>  really whether anyone manages SPIs in a fashion that relies on using
>>  the other two values for differentiation.
>
>Our implementation has separate loadable modules (and separate tables)
>for ESP vs. AH SA's.
>

So that's one vote for keeping in the AH/ESP discriminator even if AH 
is not required, right?

Steve

Follow-Ups:

Re: SA identification

From: "Angelos D. Keromytis" <angelos@keromytis.org>

References:

Re: SA identification

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: RE: Death to AH (was Re: SA identification)
Prev by thread: Re: SA identification
Next by thread: Re: SA identification
Index(es):
- Main
- Thread