Re: draft-gupta-ospf-ospfv3-auth-01.txt

[Mukesh Gupta <mgupta@iprg.nokia.com>]

Hi Jean-Mickael,

Thanks for the correction. You are right. Word OSPF needs to be removed from
there. The new sentence should be
"In the incoming path, protocol, SPI and ingress interface ID MUST be used
to locate the SA to be applied."
where the protocol can be ESP or AH.

Check against the inbound policy linked to the SA should be done by the
general IPsec implementation. I don't see anything that needs to be handled
differently for OSPFv3. So, I think, we don't need to add anything about it
in this draft.

I will make the suggested correction in the next version of the draft.

Cheers.
Mukesh

Jean-Mickael Guerin wrote:

> Hello,
> I have a question concerning SA granularity. The draft says:
> In the incoming path, OSPF protocol, SPI and ingress interface ID MUST
> be used to locate the SA to be applied.
> If ESP is used with non-null encryption, I think that OSPF protocol
> field is not available.
> If 'm correct, I think in this case we can only use SPI and ingress
> interface. If  incoming packet is decrypted correctly, then we can check
> against an inbound policy linked to this SA, which would have protocol
> selector set to OSPF protocol.
>
> Regards,
>
> Jean-Mickael

--
******************************************************************
Work fascinates me. I can look at it for  hours !
******************************************************************
Mukesh Gupta
Phone: (650) 625-2264
Cell : (650) 868-9111
http://www.iprg.nokia.com/~mgupta
******************************************************************