[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new version of ESP ID
Steve,
At 05:07 PM 7/1/2002 -0400, Stephen Kent wrote:
<text deleted>
>>Finally, If we are going to restrict a multicast SA to single-source
>>multicast groups, then I don't understand how we can avoid identifying
>>associating that sender with the SA. If a member of the single-source
>>multicast group who is not the authorized sender begins sending to that
>>group, there is no way to identify this problem, which will likely break
>>the anti-replay mechanism.
>
> The SA for a single-sender, multicast SA should specify the address of
> the one, authorized sender and that would be checked by each receiver.
I'm okay with this. It limits us strictly to single-sender multicast
groups. Given the complexities of multicast security, that's probably the
best approach at least for the near term. Shouldn't we document this
constraint in the ESP (and AH) I-Ds? That is, the receiver SHALL check the
source address of a received packet to ensure that it is from the
authorized sender for the particular SA?
>This is separate from the fact that the IP source address is not (and
>never has been) used in selecting the SA for inbound traffic, i.e., it is
>the destination address and the SPI that are used for that demuxing.
Yes, and this is consistent with what RFC 2401 says: "The concept is
applicable in the point-to-multipoint case as well." We disallow having
multiple senders share an SA. Annalies point was (if I understand her
correctly) that we cannot have multiple SAs for a particular multicast
destination address because the SPIs might collide. The SPIs might collide
if different group controllers assign them independently. Do you agree?
Mark
>Steve