[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA identification

To: Brian Weis <bew@cisco.com>
Subject: Re: SA identification
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Tue, 27 Mar 2001 00:41:54 -0500
Cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <3AC00756.58C55221@cisco.com>, Brian Weis writes:
>"Steven M. Bellovin" wrote:
>
>
>Rather than make it multicast/unicast specific, a new SA attribute could
>be used to denote whether or not a 3-tuple should be used for
>evaluation. This would give multicast apps (or any unicast apps which
>wanted extra assurance) the chance to protect themselves. But I'm not
>sure this is any more palatable as it affects the key management system
>(passing the SA attribute) and adds more state to the IPSec processing.

On receipt you can't look up the SA until after you've matched 
on <SPI,protocol,dstaddr> or <SPI,protocol>...  

		--Steve Bellovin, http://www.research.att.com/~smb

Follow-Ups:

Re: SA identification

From: Brian Weis <bew@cisco.com>

Re: SA identification

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: SA identification
Next by Date: Re: SA identification
Prev by thread: Re: SA identification
Next by thread: Re: SA identification
Index(es):
- Main
- Thread