[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: new version of ESP ID
From: Stephen Kent <kent@bbn.com>
Date: Wed, 24 Jul 2002 00:47:15 -0400
Cc: ipsec@lists.tislabs.com, msec@securemulticast.org
In-Reply-To: <4.3.2.7.2.20020720073224.02473a80@mira-sjc5-6.cisco.com>
References: <4.3.2.7.2.20020709135351.0251a3f0@mira-sjc5-6.cisco.com><4.3.2.7.2.20020709135351.0251a3f0@mira-sjc5-6.cisco.com><4.3.2.7.2.20020720073224.02473a80@mira-sjc5-6.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 7:38 AM -0700 7/20/02, Mark Baugher wrote:
>Steve,
>
>At 05:54 PM 7/12/2002 -0400, Stephen Kent wrote:
>>Mark,
>>
>>>
>>>I don't understand the distinction between static and dynamic SAs.
>>>Is the distinction between a single-sender multicast SA versus
>>>a multi-sender multicast SA?
>>>
>>>I think that it is a more robust solution to identify the multicast
>>>SA using the source address as well as the SPI and destination
>>>address.  This is what many of us who worked in smug thought we
>>>would do with MESP.  Now that Steve is addressing multicast in
>>>ESP and AH, it's not clear to me how msec should proceed with
>>>MESP.
>>
>>There is a big distinction between single and multi-sender SAs, as 
>>we have discussed. One cannot make use of anti-replay for a 
>>multi-sender SA, unless we seriously change the model and I 
>>explained in my message to Bill why I don't think that's a 
>>reasonable change to pursue.
>
>I think I understand your rationale.  We should at least document 
>the fact that it may be necessary to identify the multicast ESP SA 
>using the triple <source, destination, SPI> for source-specific 
>multicast - for some applications.  I think Bill and Radia's 
>previous comments to this thread explain why.  If all sources to a 
>multicast address use the same group key controller, then I don't 
>see a problem.  If some sources to a multicast address use distinct 
>group key controllers (e.g., each source acts as its own 
>controller), then there is the potential for SPI collisions and 
>means must be invented to handle these collisions.
>
>Mark

Mark,

I don't feel that we have a good enough answers to proceed, yet. We 
cannot proceed on the basis of "may be necessary." What we need is a 
concise description of what is required for multicast traffic 
demuxing, based on extant protocol standards, including how SPIs will 
be assigned in the context of these protocols. Implementors cannot 
reasonably deal with the current level of vague characterization of 
requirements floating around in this discussion. for example, if 
there are two group key controllers for a multicast session, and each 
assigns SPis independently to subscribers (and thus the collision 
potential), which SPI will a sender put in an outbound packet to 
ensure that all recipients will recognize it?

Steve

Follow-Ups:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>

References:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by Date: RE: Two AES encryption modes?
Prev by thread: Re: new version of ESP ID
Next by thread: Re: new version of ESP ID
Index(es):
- Date
- Thread