[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new version of ESP ID
>First, section 2.2 deprecates sharing an SA among multiple senders to a
>multicast group and in effect mandates single-sender multicast for ESP
>groups. The same is true for AH. I'm aware of only one protocol, the VRRP
>specification, that is affected by this change. VRRP uses AH or ESP but
>allows multi-source multicast groups. We should notify the VRRP WG of this
>potential change.
I brought this up at the WG meeting in Minneapolis. Several protocols
that send multicasts on a LAN use this model (VRRP, OSPFv3, PIM,
IGMP come to mind).
I'd like to see two possible modes for use with multicast:
- anti-replay sequence number per sender, with a shared SA.
- including the source address when demultiplexing to permit SSM semantics.
I know that at least the first is completely opposite of the direction
that the group has been going. However, especially with 64-bit anti-replay
sequence numbers, it permits protocols to use a standard, existing protocol
even when using static shared SAs. Yes, a static shared SA buys you much
less protection than dynamically negotiated ones, but does that mean that it
should be ruled out?
Bill