[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
>>>>> "Mark" == Mark Baugher <mbaugher@cisco.com> writes:
Mark> Markku, I may be misunderstanding something about IPsec. By my
Mark> reading of RFC 2401, the SA is uniquely identified by <SPI,
Mark> destination address, IPsec
protocol> and it is not possible to install another SA having the
protocol> same
Mark> triple but with a different source address based upon some SPD
Mark> entry.
That's my reading as well.
Mark> Mark At 06:57 PM 7/2/2002 +0300, Markku Savela wrote:
>> Yes, <SPI, destination, protocol>, but then SA is supposed to
>> include additional parameters (as per RFC 2401) which are used to
>> distinguish between different SA's. One of those parameters is the
>> source address (other paramters are the ports and transport
>> protocol).
>>
>> We could have multiple SA's with same destination (= multicast
>> group), with different source address.
I don't see how that can be valid.
Yes, once you find a particular SA, you then have a security policy
that describes checks on source address, and lots of other things.
But that's a filter, NOT a demultiplexing operation.
paul