[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] IPsec AH and ESP -- changes
I'm wondering about one minor detail in the changed text...
> From: kseo@bbn.com
> 2. AH and ESP (and 2401bis)-- Thanks go to Suman Sharma and George
> Gross for their input re: SAD entry lookup for inbound traffic in the
> presence of multicast SAs. Also, thanks go to George for draft text.
> We propose to replace the current text re: multicast lookup in
> o AH Section 2.4 "Security Parameters Index (SPI)", paragraph 2
> o ESP Section 2.1 "Security Parameters Index (SPI)", paragraph 2
>
> with the following text:
>
> "If an IPsec implementation supports multicast, then it MUST
> support multicast SAs using the algorithm below for mapping
> inbound IPsec datagrams to SAs. Implementations that support
> only unicast traffic need not implement this demultiplexing
> algorithm.
>
> In many secure multicast architectures, e.g., [RFC3740], a
> central Group Controller/Key Server unilaterally assigns the
> group security association's SPI. This SPI assignment is not
> negotiated or coordinated with the key management (e.g., IKE)
> subsystems that reside in the individual end systems that
> compromise the group. Consequently, it is possible that a
> group security association and a unicast security association
> can simultaneously use the same SPI. A multicast-capable IPsec
> implementation MUST correctly de-multiplex inbound traffic
> even in the context of SPI collisions.
>
> Each entry in the Security Association Database (SAD)
> [Ken-Arch] must indicate whether the SA lookup makes use of
> the destination, or destination and source, IP addresses, in
> addition to the SPI. For multicast SAs, the protocol field is
> not employed for SA lookups. ....
Why is protocol not employed? Protocol is either AH or ESP, and that
has always been a part of the SA identification. Why make an
unnecessary special case for multicast SA here?
Or, did I misunderstood something?
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec