[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: new version of ESP ID
From: Stephen Kent <kent@bbn.com>
Date: Mon, 1 Jul 2002 17:07:34 -0400
Cc: ipsec@lists.tislabs.com, msec@securemulticast.org
In-Reply-To: <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com>
References: <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Mark,

>Karen, Steve,
>At 06:55 PM 6/28/2002 -0400, Karen Seo wrote:
>><text deleted>
>>
>>A question was posed to the working group (6/17) as to whether to 
>>change the SA demuxing values to allow use of the Source IP address 
>>for source-specific multicast protocols. There has been no feedback 
>>so far so no changes were made.
>
>I missed the 6/17 note.  I have a few comments on use of the source 
>IP address for source-specific multicast.
>
>First, section 2.2 deprecates sharing an SA among multiple senders 
>to a multicast group and in effect mandates single-sender multicast 
>for ESP groups.  The same is true for AH.  I'm aware of only one 
>protocol, the VRRP specification, that is affected by this change. 
>VRRP uses AH or ESP but allows multi-source multicast groups.  We 
>should notify the VRRP WG of this potential change.

OK.

>Second, I think there is an inconsistency between 2.2 and 3.4.2 in 
>that 2.2 disallows sharing of an SA among multiple senders and 3.4.2 
>states that anti-replay SHOULD NOT be used in a multi-sender 
>environment.  Doesn't the first restriction obviate the need for the 
>second?

Good point. We carried over the text without thinking through the 
implications of the previous change.

>Finally, If we are going to restrict a multicast SA to single-source 
>multicast groups, then I don't understand how we can avoid 
>identifying associating that sender with the SA.  If a member of the 
>single-source multicast group who is not the authorized sender 
>begins sending to that group, there is no way to identify this 
>problem, which will likely break the anti-replay mechanism.

  The SA for a single-sender, multicast SA should specify the address 
of the one, authorized sender and that would be checked by each 
receiver.

This is separate from the fact that the IP source address is not (and 
never has been) used in selecting the SA for inbound traffic, i.e., 
it is the destination address and the SPI that are used for that 
demuxing.

Steve

Follow-Ups:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>

References:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: SOI QUESTIONS: 3.4 - 4.3
Next by Date: question about re-keys
Prev by thread: Re: new version of ESP ID
Next by thread: Re: new version of ESP ID
Index(es):
- Date
- Thread