[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
At 11:25 PM 7/1/2002 +0300, Markku Savela wrote:
> > From: Mark Baugher <mbaugher@cisco.com>
>
> > >I think a good solution would be to include also the source address in the
> > >SA selector for multicast SAs. This would also be very useful to protect
> > >IGMP messages by means of IPsec AH.
> >
> > I favor this approach but it is not consistent with RFC2401.
>
>Nothing in RFC2401 prevents using source address as a selector.
Annalies used the term "selector," I didn't. I wasn't referring to the SPD
and how packets are selected for IPsec processing but rather how an SA is
identified. Section 4.1 of RFC 2401 says that an IPsec SA is uniquely
identified by the triple <SPI, destination address, IPsec protocol>. The
issue is whether we support multi-sender multicast groups: If we allow
multiple senders to a multicast destination address, then a 4-tuple is
needed <SPI, source address, destination, address, IPsec
protocol>. Otherwise, we lose replay protection. It's worse if the IPsec
implementation does not correctly handle the case of multiple senders and
attempts IPsec replay protection on two or more different sequence number
spaces.
Mark