Re: new version of ESP ID

[Mark Baugher <mbaugher@cisco.com>]

Karen, Steve,
At 06:55 PM 6/28/2002 -0400, Karen Seo wrote:
><text deleted>
>
>A question was posed to the working group (6/17) as to whether to change 
>the SA demuxing values to allow use of the Source IP address for 
>source-specific multicast protocols. There has been no feedback so far so 
>no changes were made.

I missed the 6/17 note.  I have a few comments on use of the source IP 
address for source-specific multicast.

First, section 2.2 deprecates sharing an SA among multiple senders to a 
multicast group and in effect mandates single-sender multicast for ESP 
groups.  The same is true for AH.  I'm aware of only one protocol, the VRRP 
specification, that is affected by this change.  VRRP uses AH or ESP but 
allows multi-source multicast groups.  We should notify the VRRP WG of this 
potential change.

Second, I think there is an inconsistency between 2.2 and 3.4.2 in that 2.2 
disallows sharing of an SA among multiple senders and 3.4.2 states that 
anti-replay SHOULD NOT be used in a multi-sender environment.  Doesn't the 
first restriction obviate the need for the second?

Finally, If we are going to restrict a multicast SA to single-source 
multicast groups, then I don't understand how we can avoid identifying 
associating that sender with the SA.  If a member of the single-source 
multicast group who is not the authorized sender begins sending to that 
group, there is no way to identify this problem, which will likely break 
the anti-replay mechanism.

regards, Mark


>Thank you,
>Karen
>