[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: new version of ESP ID
From: Andrea Colegrove <acc@columbia.sparta.com>
Date: Tue, 02 Jul 2002 12:19:19 -0400
CC: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com, msec@securemulticast.org
References: <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com> <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com> <4.3.2.7.2.20020702081612.04a49dc8@mira-sjc5-6.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Mark and Steve,
    I agree that if only one sender is authorized than that sender should be
indicated in the SA as policy that must be adhered to.  This should not cause
one to disallow multiple senders sharing an SA.  The policy rule must be
flexible enough to allow an entity, a list, a rule, a wildcard, etc. to cover
all multicast scenarios.  It would be a shame to break future advanced
multicast uses.
    I agree with Annalies that anti-replay is still a problem.  We all
acknowledged that several years ago in smug.  We also discussed the SPI
collision problem at that time.  The probability that two sender-specific SAs
would be assigned the same SPI in the same destination (multicast) address
space is rather slim.  Do you anticipate using different group keys for each of
those SAs?

--- Andrea


Mark Baugher wrote:

> Steve,
>
> At 05:07 PM 7/1/2002 -0400, Stephen Kent wrote:
> <text deleted>
>
> >>Finally, If we are going to restrict a multicast SA to single-source
> >>multicast groups, then I don't understand how we can avoid identifying
> >>associating that sender with the SA.  If a member of the single-source
> >>multicast group who is not the authorized sender begins sending to that
> >>group, there is no way to identify this problem, which will likely break
> >>the anti-replay mechanism.
> >
> >  The SA for a single-sender, multicast SA should specify the address of
> > the one, authorized sender and that would be checked by each receiver.
>
> I'm okay with this.  It limits us strictly to single-sender multicast
> groups.  Given the complexities of multicast security, that's probably the
> best approach at least for the near term.  Shouldn't we document this
> constraint in the ESP (and AH) I-Ds?  That is, the receiver SHALL check the
> source address of a received packet to ensure that it is from the
> authorized sender for the particular SA?
>
> >This is separate from the fact that the IP source address is not (and
> >never has been) used in selecting the SA for inbound traffic, i.e., it is
> >the destination address and the SPI that are used for that demuxing.
>
> Yes, and this is consistent with what RFC 2401 says:  "The concept is
> applicable in the point-to-multipoint case as well."  We disallow having
> multiple senders share an SA.  Annalies point was (if I understand her
> correctly) that we cannot have multiple SAs for a particular multicast
> destination address because the SPIs might collide.  The SPIs might collide
> if different group controllers assign them independently.  Do you agree?
>
> Mark
>
> >Steve

Follow-Ups:
- Re: new version of ESP ID
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: [MSEC] Re: new version of ESP ID
Next by Date: Re: new version of ESP ID
Prev by thread: Re: new version of ESP ID
Next by thread: Re: new version of ESP ID
Index(es):
- Date
- Thread