[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?

To: Markku Savela <msa@burp.tkv.asdf.org>
Subject: Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
From: Mark Baugher <mbaugher@cisco.com>
Date: Tue, 02 Jul 2002 12:01:50 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200207021557.SAA02464@burp.tkv.asdf.org>
References: <4.3.2.7.2.20020702080307.04d2def8@mira-sjc5-6.cisco.com><4.3.2.7.2.20020701102526.04b8f538@mira-sjc5-6.cisco.com><4.3.2.7.2.20020701102526.04b8f538@mira-sjc5-6.cisco.com><4.3.2.7.2.20020702080307.04d2def8@mira-sjc5-6.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Markku,
    I may be misunderstanding something about IPsec.  By my reading of RFC 
2401, the SA is uniquely identified by <SPI, destination address, IPsec 
protocol> and it is not possible to install another SA having the same 
triple but with a different source address based upon some SPD entry.

Mark
At 06:57 PM 7/2/2002 +0300, Markku Savela wrote:

> > From: Mark Baugher <mbaugher@cisco.com>
> > Cc: annelies.van_moffaert@alcatel.be, ipsec@lists.tislabs.com
> > Content-Type: text/plain; charset="us-ascii"; format=flowed
> >
> > At 11:25 PM 7/1/2002 +0300, Markku Savela wrote:
> > > > From: Mark Baugher <mbaugher@cisco.com>
> > >
> > > > >I think a good solution would be to include also the source 
> address in the
> > > > >SA selector for multicast SAs. This would also be very useful  to 
> protect
> > > > >IGMP messages by means of IPsec AH.
> > > >
> > > > I favor this approach but it is not consistent with RFC2401.
> > >
> > >Nothing in RFC2401 prevents using source address as a selector.
> >
> > Annalies used the term "selector," I didn't.  I wasn't referring to the 
> SPD
> > and how packets are selected for IPsec processing but rather how an SA is
> > identified.  Section 4.1 of RFC 2401 says that an IPsec SA is uniquely
> > identified by the triple <SPI, destination address, IPsec protocol>.
>
>Yes, <SPI, destination, protocol>, but then SA is supposed to include
>additional parameters (as per RFC 2401) which are used to distinguish
>between different SA's. One of those parameters is the source address
>(other paramters are the ports and transport protocol).
>
>We could have multiple SA's with same destination (= multicast group),
>with different source address.
>
>The proposed IKEv2 TS payload almost gets it, but there may be some
>confusion about two "source addresses": (1) the source address of
>the IPSEC node and (2) the source address of the original packet.
>
>However, as IKEv2 may not be relevant here (for negotiating multicast
>SA's), this may not be an issue?

Follow-Ups:
- Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
  - From: Paul Koning <pkoning@equallogic.com>

References:
- identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
  - From: Markku Savela <msa@burp.tkv.asdf.org>

Prev by Date: Re: [MSEC] Re: new version of ESP ID
Next by Date: Re: new version of ESP ID
Prev by thread: Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
Next by thread: Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
Index(es):
- Date
- Thread