Re: SCTP and IPsec issues

["Angelos D. Keromytis" <angelos@keromytis.org>]

In message <20010326212808.A2145@think>, Theodore Tso writes:
>
>My apologies for being pedeantic, but you don't mean that in order to
>access the SAD, you have to know the complete set of the destination
>addresses, right?  Rather, that given any one of a set of the
>destination addresses, the SPI, and the security protocol, one can
>look up an SA in the SAD.  Correct?

You are correct.

>One other issue to add to your list.  I was talking to some SCTP
>folks, and the one thing which they thought would likely be
>successfully added to SCTP is a mechanism for adding an additional
>endpoint address to an existing SCTP connection.  If this feature does
>get added to SCTP (and I can see how it might be useful; for example,
>to add your new IP address if you're about to be renumbered, so you
>can have SCTP connections survive renumbering events) then we will
>need some way by which we can modify the SPD to take into account the
>new endpoint address.  I don't think we'll need a particularly
>complicated mechanism to handle this.  A simple solution would be to
>just forcing a new Phase 2 exchange whenever the endpoint address set
>changes; after all, I don't think this will likely be a frequent operation.

You're right, and the draft already does mention this exact same case, with
your assumption as a solution :-)

You might have to do a complete Phase 1/Phase 2 exchange, depending on what
credentials you've sent over (if you depend on them to do address 
verification),
but that's a detail really.
-Angelos

---

References:

• Re: SCTP and IPsec issues
• From: Theodore Tso <tytso@mit.edu>

---

• Prev by Date: Re: Protocols that refer AH (was: Death to AH)
• Next by Date: don't get any encrypted packets!
• Prev by thread: Re: SCTP and IPsec issues
• Next by thread: IPSec Working Group for VPNs
• Index(es):
  • Main
  • Thread