[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID



Steve,

At 05:54 PM 7/12/2002 -0400, Stephen Kent wrote:
>Mark,
>
>>
>>I don't understand the distinction between static and dynamic SAs.
>>Is the distinction between a single-sender multicast SA versus
>>a multi-sender multicast SA?
>>
>>I think that it is a more robust solution to identify the multicast
>>SA using the source address as well as the SPI and destination
>>address.  This is what many of us who worked in smug thought we
>>would do with MESP.  Now that Steve is addressing multicast in
>>ESP and AH, it's not clear to me how msec should proceed with
>>MESP.
>
>There is a big distinction between single and multi-sender SAs, as we have 
>discussed. One cannot make use of anti-replay for a multi-sender SA, 
>unless we seriously change the model and I explained in my message to Bill 
>why I don't think that's a reasonable change to pursue.

I think I understand your rationale.  We should at least document the fact 
that it may be necessary to identify the multicast ESP SA using the triple 
<source, destination, SPI> for source-specific multicast - for some 
applications.  I think Bill and Radia's previous comments to this thread 
explain why.  If all sources to a multicast address use the same group key 
controller, then I don't see a problem.  If some sources to a multicast 
address use distinct group key controllers (e.g., each source acts as its 
own controller), then there is the potential for SPI collisions and means 
must be invented to handle these collisions.

Mark


>I am opposed to the suggestion to use both source and destination address 
>for demuxing multicast SAs, as it just adds to the comparisons that need 
>to me made. As more folks go to high speed hardware implementations, using 
>more fields for demuxing turns into more CAM entries, ...  Why can't we 
>swap destination address demuxing for source address demuxing for multicast?
>
>Steve