[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue #74 -- Inbound SA lookup -- multicast & unicast
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 74
Title: Inbound SA lookup -- multicast & unicast
Description:
============
AH and ESP were modified to support (1) look up of unicast using only
SPI (and optionally protocol), (2) lookup of multicast SAs using SPI
+ destination address, and (3) lookup of multicast SAs using SPI +
source address + destination address. The current version of 2401
describes only lookup of unicast SAs using destination address, SPI,
and optionally protocol. It needs to be updated to match the SA
lookup functionality described in AH and ESP.
Proposed approach:
==================
1. Modify the text describing Security Associations, the SAD, and SA
lookup to include multicast SAs with text like the following (based
on text from AH and ESP):
"For a unicast SA, the SPI can be used by itself to specify an SA, or
it may be used in conjunction with the IPsec protocol type (AH or
ESP). Since the SPI value is generated by the receiver for a unicast
SA, whether the value is sufficient to identify an SA by itself, or
whether it must be used in conjunction with the IPsec protocol value
is a local matter. This mechanism for mapping inbound traffic to
unicast SAs MUST be supported by all IPsec implementations.
If an IPsec implementation supports multicast SAs as well as unicast
SAs, then it MUST use the following algorithm for mapping all inbound
IPsec datagrams to SAs. (Implementations that support only unicast
traffic need not implement this algorithm.) Each entry in the
Security Association Database (SAD) must indicate whether the SA
lookup makes use of (a) the SPI but neither the source or destination
address (unicast), (b) the destination IP address plus the SPI, or
(c) source plus destination IP addresses in addition to the SPI.
(For multicast SAs, the protocol field is not employed for SA
lookups.) Nominally, this indication can be represented by two bits,
one associated with the source IP address and the other for the
destination IP address. A "1" value for each bit indicates the need
to match against the corresponding address field as part of the SA
lookup process. Thus, for example, unicast SAs would have both bits
set to zero, since neither the source nor destination IP address is
required for SA matching.
For multicast methods that rely only on the destination address to
specify a multicast group, only the destination bit would be set to
"1," implying the need to use the destination address plus the SPI to
determine the appropriate SA. For multicast methods (e.g., SSM
[HC03]) that also require the source address to identify a multicast
group, both bits would be set to "1." (There is no current
requirement to support multicast SA mapping based on the source
address but not the destination address, thus one of the possible
four values is not meaningful.) The indication as to whether source
and destination address matching is required to map inbound IPsec
traffic to SAs MUST be set either as a side effect of manual SA
configuration or via negotiation using an SA management protocol,
e.g., IKE."
[HC03] Holbrook, H., and Cain, B., "Source Specific Multicast for
IP", Internet Draft, draft-ietf-ssm-arch-01.txt, November
3, 2002.
Thank you,
Karen