[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID




>First, section 2.2 deprecates sharing an SA among multiple senders to a 
>multicast group and in effect mandates single-sender multicast for ESP 
>groups.  The same is true for AH.  I'm aware of only one protocol, the VRRP 
>specification, that is affected by this change.  VRRP uses AH or ESP but 
>allows multi-source multicast groups.  We should notify the VRRP WG of this 
>potential change.

I brought this up at the WG meeting in Minneapolis.  Several protocols
that send multicasts on a LAN use this model (VRRP, OSPFv3, PIM,
IGMP come to mind).

I'd like to see two possible modes for use with multicast:
- anti-replay sequence number per sender, with a shared SA.
- including the source address when demultiplexing to permit SSM semantics.

I know that at least the first is completely opposite of the direction
that the group has been going.  However, especially with 64-bit anti-replay
sequence numbers, it permits protocols to use a standard, existing protocol
even when using static shared SAs.  Yes, a static shared SA buys you much
less protection than dynamically negotiated ones, but does that mean that it
should be ruled out?

  Bill