[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA identification



"Steven M. Bellovin" wrote:
> 
> In message <3AC00756.58C55221@cisco.com>, Brian Weis writes:
> >"Steven M. Bellovin" wrote:
> >
> >
> >Rather than make it multicast/unicast specific, a new SA attribute could
> >be used to denote whether or not a 3-tuple should be used for
> >evaluation. This would give multicast apps (or any unicast apps which
> >wanted extra assurance) the chance to protect themselves. But I'm not
> >sure this is any more palatable as it affects the key management system
> >(passing the SA attribute) and adds more state to the IPSec processing.
> 
> On receipt you can't look up the SA until after you've matched
> on <SPI,protocol,dstaddr> or <SPI,protocol>...
> 
>                 --Steve Bellovin, http://www.research.att.com/~smb

Oops, that is problematic. Thanks for the quick correction.

Brian Weis
bew@cisco.com


References: