2401bis Issue #74 -- Inbound SA lookup -- multicast & unicast

[Karen Seo <kseo@bbn.com>]

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	74

Title:		Inbound SA lookup -- multicast & unicast

Description:
============
AH and ESP were modified to support (1) look up of unicast using only 
SPI (and optionally protocol), (2) lookup of multicast SAs using SPI 
+ destination address, and (3) lookup of multicast SAs using SPI + 
source address + destination address. The current version of 2401 
describes only lookup of unicast SAs using destination address, SPI, 
and optionally protocol.  It needs to be updated to match the SA 
lookup functionality described in AH and ESP.

Proposed approach:
==================
1. Modify the text describing Security Associations, the SAD, and SA 
lookup to include multicast SAs with text like the following (based 
on text from AH and ESP):

"For a unicast SA, the SPI can be used by itself to specify an SA, or 
it may be used in conjunction with the IPsec protocol type (AH or 
ESP). Since the SPI value is generated by the receiver for a unicast 
SA, whether the value is sufficient to identify an SA by itself, or 
whether it must be used in conjunction with the IPsec protocol value 
is a local matter. This mechanism for mapping inbound traffic to 
unicast SAs MUST be supported by all IPsec implementations.

If an IPsec implementation supports multicast SAs as well as unicast 
SAs, then it MUST use the following algorithm for mapping all inbound 
IPsec datagrams to SAs. (Implementations that support only unicast 
traffic need not implement this  algorithm.)  Each entry in the 
Security Association Database (SAD) must indicate whether the SA 
lookup makes use of (a) the SPI but neither the source or destination 
address (unicast), (b) the destination IP address plus the SPI, or 
(c) source plus destination IP addresses in addition to the SPI. 
(For multicast SAs, the protocol field is not employed for SA 
lookups.) Nominally, this indication can be represented by two bits, 
one associated with the source IP address and the other for the 
destination IP address. A "1" value for each bit indicates the need 
to match against the corresponding address field as part of the SA 
lookup process. Thus, for example, unicast SAs would have both bits 
set to zero, since neither the source nor destination IP address is 
required for SA matching.

For multicast methods that rely only on the destination address to 
specify a multicast group, only the destination bit would be set to 
"1," implying the need to use the destination address plus the SPI to 
determine the appropriate SA. For multicast methods (e.g., SSM 
[HC03]) that also require the source address to identify a multicast 
group, both bits would be set to "1."  (There is no current 
requirement to support multicast SA mapping based on the source 
address but not the destination address, thus one of the possible 
four values is not meaningful.) The indication as to whether source 
and destination address matching is required to map inbound IPsec 
traffic to SAs MUST be set either as a side effect of manual SA 
configuration or via negotiation using an SA management protocol, 
e.g., IKE."

  [HC03]    Holbrook, H., and Cain, B., "Source Specific Multicast for
            IP", Internet Draft, draft-ietf-ssm-arch-01.txt, November
            3, 2002.


Thank you,
Karen