[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID



Steve,

At 05:07 PM 7/1/2002 -0400, Stephen Kent wrote:
<text deleted>


>>Finally, If we are going to restrict a multicast SA to single-source 
>>multicast groups, then I don't understand how we can avoid identifying 
>>associating that sender with the SA.  If a member of the single-source 
>>multicast group who is not the authorized sender begins sending to that 
>>group, there is no way to identify this problem, which will likely break 
>>the anti-replay mechanism.
>
>  The SA for a single-sender, multicast SA should specify the address of 
> the one, authorized sender and that would be checked by each receiver.

I'm okay with this.  It limits us strictly to single-sender multicast 
groups.  Given the complexities of multicast security, that's probably the 
best approach at least for the near term.  Shouldn't we document this 
constraint in the ESP (and AH) I-Ds?  That is, the receiver SHALL check the 
source address of a received packet to ensure that it is from the 
authorized sender for the particular SA?


>This is separate from the fact that the IP source address is not (and 
>never has been) used in selecting the SA for inbound traffic, i.e., it is 
>the destination address and the SPI that are used for that demuxing.

Yes, and this is consistent with what RFC 2401 says:  "The concept is 
applicable in the point-to-multipoint case as well."  We disallow having 
multiple senders share an SA.  Annalies point was (if I understand her 
correctly) that we cannot have multiple SAs for a particular multicast 
destination address because the SPIs might collide.  The SPIs might collide 
if different group controllers assign them independently.  Do you agree?

Mark


>Steve