Re: new version of ESP ID

[Mark Baugher <mbaugher@cisco.com>]

At 09:59 AM 7/9/2002 -0700, Bill Fenner wrote:

> >First, section 2.2 deprecates sharing an SA among multiple senders to a
> >multicast group and in effect mandates single-sender multicast for ESP
> >groups.  The same is true for AH.  I'm aware of only one protocol, the VRRP
> >specification, that is affected by this change.  VRRP uses AH or ESP but
> >allows multi-source multicast groups.  We should notify the VRRP WG of this
> >potential change.
>
>I brought this up at the WG meeting in Minneapolis.  Several protocols
>that send multicasts on a LAN use this model (VRRP, OSPFv3, PIM,
>IGMP come to mind).

Yes, of course, though a number of people think that IGMP security is
needless (and voiced that in the last gsec meeting).  You made an
important point in your previous note about SSM and the usefulness
of the source address to identifying the multicast SA.


>I'd like to see two possible modes for use with multicast:
>- anti-replay sequence number per sender, with a shared SA.
>- including the source address when demultiplexing to permit SSM semantics.
>
>I know that at least the first is completely opposite of the direction
>that the group has been going.  However, especially with 64-bit anti-replay
>sequence numbers, it permits protocols to use a standard, existing protocol
>even when using static shared SAs.  Yes, a static shared SA buys you much
>less protection than dynamically negotiated ones, but does that mean that it
>should be ruled out?

I don't understand the distinction between static and dynamic SAs.
Is the distinction between a single-sender multicast SA versus
a multi-sender multicast SA?

I think that it is a more robust solution to identify the multicast
SA using the source address as well as the SPI and destination
address.  This is what many of us who worked in smug thought we
would do with MESP.  Now that Steve is addressing multicast in
ESP and AH, it's not clear to me how msec should proceed with
MESP.

Mark


>   Bill