[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please send me your GSEC presenation slides

To: annelies.van_moffaert@alcatel.be
Subject: Re: Please send me your GSEC presenation slides
From: Stephen Kent <kent@bbn.com>
Date: Fri, 3 May 2002 16:44:03 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <OFCEF14CC1.BF19DE52-ONC1256BAB.00451B3A@net.alcatel.be>
References: <OFCEF14CC1.BF19DE52-ONC1256BAB.00451B3A@net.alcatel.be>
Sender: owner-ipsec@lists.tislabs.com

At 2:51 PM +0200 4/30/02, annelies.van_moffaert@alcatel.be wrote:
>Hi Steven and all,
>
>I read the new IP Authentication Header I-D and I have a small question or
>remark about the multicast SAs. I saw that these are identified by the
>destination IP address
>and the SPI value and optionally, the protocol ID.
>I'm not sure whether this rules out all possible ambiguity for SSM. For SSM
>the IP destination address does not need to be unique (if I remember
>correctly). A group session is in SSM identified by the pair (Source IP,
>Destination IP) and it is possible that 2 different sources choose the same
>SSM group address as Destination IP address. The group controller of each
>will pick independently an SPI number. It's of course very unlikely but I
>think that it is then strictly speaking possible to have the same (SPI,
>Destination IP) pair for 2 different SSM sessions. In this case the
>receiver cannot differentiate between two different SAs since they have the
>same identification pair (Destion IP, SPI). Is this correct or did I
>overlook something?
>
>Kind regards,
>  Lies

Lies,

I am not familiar with the spec for SSM, but from an IP perspective 
it is not generally feasible to have two distinct multicast groups 
with the same IP layer address, as then there would be ambiguity in 
terms of routing.

Steve

Prev by Date: Ikev2 Traffic Selector payload
Next by Date: Re: Ikev2 IKE-SA rekey collision
Prev by thread: Re: Ikev2 Traffic Selector payload
Next by thread: PF_KEY socket code examples
Index(es):
- Date
- Thread