[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SA identification
In message <3AC00756.58C55221@cisco.com>, Brian Weis writes:
>"Steven M. Bellovin" wrote:
>
>
>Rather than make it multicast/unicast specific, a new SA attribute could
>be used to denote whether or not a 3-tuple should be used for
>evaluation. This would give multicast apps (or any unicast apps which
>wanted extra assurance) the chance to protect themselves. But I'm not
>sure this is any more palatable as it affects the key management system
>(passing the SA attribute) and adds more state to the IPSec processing.
On receipt you can't look up the SA until after you've matched
on <SPI,protocol,dstaddr> or <SPI,protocol>...
--Steve Bellovin, http://www.research.att.com/~smb
Follow-Ups: