[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec AH and ESP I-Ds; source address as possible SA selector for multicastSA?

To: ipsec@lists.tislabs.com
Subject: IPsec AH and ESP I-Ds; source address as possible SA selector for multicastSA?
From: annelies.van_moffaert@alcatel.be
Date: Mon, 17 Jun 2002 17:10:27 +0200
Cc: Stephen Kent <kent@bbn.com>
Sender: owner-ipsec@lists.tislabs.com

Dear all,

Some time ago I posted a comment on the list regarding the new IPsec AH and
ESP I-Ds
 draft-ietf-ipsec-rfc2402bis-00.txt and
 draft-ietf-ipsec-esp-v3-02.txt

In these drafts it is stated that for multicast the SPI in combination with
the destination IP address is used to select an SA. This can however lead
to ambiguity problems for SSM SAs (SSM = Source Specific Multicast).

A range of multicast IP addresses is reserved for SSM. In SSM a group is
characterized by the pair (source IP address, destination IP address) and
every source can freely choose a destination IP address from the SSM range.
This means that it is possible that two different sources use the same
group address as IP destination address.
If the group controllers of the 2 would happen to choose the same SPI value
then the common receivers cannot distinguish between the SAs for the 2
different groups since they have the smae SPI and the same destination IP
address.

I think a good solution would be to include also the source address in the
SA selector for multicast SAs. This would also be very useful  to protect
IGMP messages by means of IPsec AH.

Steve Kent, author of the I-Ds, replied to me that it is up to the WG to
discuss this, hence my email...

So I have to questions for the group:
Is the above mentioned problem already solved for the IPsec AH and ESP
I-Ds? and
Could the source IP address be included as SA selector?

Kind regards,
 Lies Van Moffaert.

Stephen Kent <kent@bbn.com> on 03/05/2002 22:44:03

 To:      Annelies VAN MOFFAERT/BE/ALCATEL@ALCATEL            

 cc:      ipsec@lists.tislabs.com                             

 Subject:                                                     

At 2:51 PM +0200 4/30/02, annelies.van_moffaert@alcatel.be wrote:
>Hi Steven and all,
>
>I read the new IP Authentication Header I-D and I have a small question or
>remark about the multicast SAs. I saw that these are identified by the
>destination IP address
>and the SPI value and optionally, the protocol ID.
>I'm not sure whether this rules out all possible ambiguity for SSM. For
SSM
>the IP destination address does not need to be unique (if I remember
>correctly). A group session is in SSM identified by the pair (Source IP,
>Destination IP) and it is possible that 2 different sources choose the
same
>SSM group address as Destination IP address. The group controller of each
>will pick independently an SPI number. It's of course very unlikely but I
>think that it is then strictly speaking possible to have the same (SPI,
>Destination IP) pair for 2 different SSM sessions. In this case the
>receiver cannot differentiate between two different SAs since they have
the
>same identification pair (Destion IP, SPI). Is this correct or did I
>overlook something?
>
>Kind regards,
>  Lies

Prev by Date: low end (was RE: Son of IKE...)
Next by Date: Re: Son of IKE: A proposal for moving forward
Prev by thread: RE: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Next by thread: No acceptable Oakley Transform
Index(es):
- Date
- Thread