[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] multicast group SA directionality
Hi,
While stepping through the RFC2401-bis draft mapping to GSAKMP, I
can across a few sections where it talks about SA directionality:
1. section 4.4.1 page 16 says "For traffic protected by IPsec, the source
and destination address and port are swapped... consistent with IKE
conventions."
2. Section 5.1 step 3 on page 30 also assumes bi-directional SA set up.
My question: these passages seem to have assumed IKE bi-directional
security associations, correct? would it be reasonable to adjust
RFC2401-bis text in these sections to also allow unidirectional SA?
As motivation, in some multicast applications the group SA is really
unidirectional, as there is one speaker and many receivers. As a
reasonable group security policy, the receiver endpoints would have their
SPD set up to both receive that speaker's transmission and inhibit their
ability to send to the group. In other words, only authorized endpoints
send to the group, unauthorized endpoints have their traffic discarded by
unidirectional SPD-O entries.
tia,
George
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec