[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AHbis WG LC: need for source address based selectors

To: Stephen Kent <kent@bbn.com>
Subject: Re: AHbis WG LC: need for source address based selectors
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 18 Jun 2003 01:55:39 +0300
Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>, ipsec@lists.tislabs.com, Barbara Fraser <byfraser@cisco.com>, tytso@mit.edu, SEND WG <ietf-send@standards.ericsson.net>
In-Reply-To: <p05100306bb14fc36d878@[128.89.88.34]>
Organization: SSH Communications Security Oy
References: <4.3.2.7.2.20030526181608.04a3df00@mira-sjc5-4.cisco.com><3EED762C.5060306@nomadiclab.com><p05100306bb14fc36d878@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
> >I don't know how to handle this so late in the process.  I would
> >like to see the text to be sufficiently revised to allow source
> >address based SA selection, so that we could use it directly in SEND.
> >However, I have no idea how the IPSEC WG would feel about that.
...
> considerable debate and analysis, to accommodate SSM.  Your proposed 
> change represents yet another bit of complexity for an IPsec 
> implementation and I question whether the WG ought to agree to such a 
> change at this late date.

If I undestand correctly Pekka is asking that the document does not
say you MUST NOT allow source address based SA selection (I do not
thing it currently says so). I assume that if it does not say anything
that this is forbidden or even better says that implementation MAY
support SA selection based on the SPI and source address, he will be
happy.

Even if the document says "MAY" to this thing, it does not require
anybody to change anything nor does it make any implementations
non-conforming. We are simply allowing implementations to also have
this kind of features too.

I.e adding something like this to the text:

"The SPIs from the reserved range may used different demultiplexing
algorithms and use source and/or destination address and/or protocols
and/or some other information for the actual demultiplexing. A
document describing new reserved SPI number MUST also specify the
demultiplexing algorithm used for that specific SPI."
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: AHbis WG LC: need for source address based selectors
  - From: Stephen Kent <kent@bbn.com>

References:
- AHbis WG LC: need for source address based selectors
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: AHbis WG LC: need for source address based selectors
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+
Next by Date: Re: AHbis WG LC: need for source address based selectors
Prev by thread: Re: AHbis WG LC: need for source address based selectors
Next by thread: Re: AHbis WG LC: need for source address based selectors
Index(es):
- Date
- Thread