[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: new version of ESP ID
From: Stephen Kent <kent@bbn.com>
Date: Tue, 2 Jul 2002 12:01:11 -0400
Cc: ipsec@lists.tislabs.com, msec@securemulticast.org
In-Reply-To: <4.3.2.7.2.20020702081612.04a49dc8@mira-sjc5-6.cisco.com>
References: <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com><4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com><4.3.2.7.2.20020702081612.04a49dc8@mira-sjc5-6.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 8:30 AM -0700 7/2/02, Mark Baugher wrote:
>Steve,
>
>At 05:07 PM 7/1/2002 -0400, Stephen Kent wrote:
><text deleted>
>
>>>Finally, If we are going to restrict a multicast SA to 
>>>single-source multicast groups, then I don't understand how we can 
>>>avoid identifying associating that sender with the SA.  If a 
>>>member of the single-source multicast group who is not the 
>>>authorized sender begins sending to that group, there is no way to 
>>>identify this problem, which will likely break the anti-replay 
>>>mechanism.
>>
>>  The SA for a single-sender, multicast SA should specify the 
>>address of the one, authorized sender and that would be checked by 
>>each receiver.
>
>I'm okay with this.  It limits us strictly to single-sender 
>multicast groups.  Given the complexities of multicast security, 
>that's probably the best approach at least for the near term. 
>Shouldn't we document this constraint in the ESP (and AH) I-Ds? 
>That is, the receiver SHALL check the source address of a received 
>packet to ensure that it is from the authorized sender for the 
>particular SA?

We can clarify this in 2401bis, but the requirement has always been 
present to match the received packet (inner header for tunnel mode) 
against the selectors for the SA, to ensure that the received traffic 
is consistent with the access controls negotiated for the SA. So, 
this is just a case where the admin should have set the SA selectors 
to specify a single IP sources address for inbound traffic.

>>This is separate from the fact that the IP source address is not 
>>(and never has been) used in selecting the SA for inbound traffic, 
>>i.e., it is the destination address and the SPI that are used for 
>>that demuxing.
>
>Yes, and this is consistent with what RFC 2401 says:  "The concept 
>is applicable in the point-to-multipoint case as well."  We disallow 
>having multiple senders share an SA.  Annalies point was (if I 
>understand her correctly) that we cannot have multiple SAs for a 
>particular multicast destination address because the SPIs might 
>collide.  The SPIs might collide if different group controllers 
>assign them independently.  Do you agree?

I've always assumed that a single controller or coordinated set of 
controllers assigned SPIs for a given multicast address anyway. All 
the senders and receivers have to have the same SPI for the traffic, 
so I assumed the requisite level of coordination was not a problem.

Steve

Follow-Ups:
- Re: new version of ESP ID
  - From: Bill Fenner <fenner@research.att.com>

References:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
Next by Date: Re: [MSEC] Re: new version of ESP ID
Prev by thread: Re: new version of ESP ID
Next by thread: Re: new version of ESP ID
Index(es):
- Date
- Thread