Re: [Ipsec] IPsec AH and ESP -- changes

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: Brian Weis <bew@cisco.com>

>  From my recollection, the rationale was that a single key server would 
> likely be choosing SPIs for a single {source addr, destination addr} 
> pair.  That key server could probably be trusted to not choose the same 
> SPI for both an AH and ESP SA matching that flow. Therefore keeping the 
> protocol in the SA lookup was seen as unnecessary.
> 
> You're right though, it does special case the SA lookup logic. If the 
> protocol were optionally included in the multicast SA lookup as well as 
> the unicast SA lookup, the semantics would be consistent. This might 
> simplify the implementation of an SA lookup. I.e.,
> 
>   unicast: {SPI, [protocol]}
>   ASM multicast: {SPI, destination, [protocol]}
>   SSM multicast: {SPI, destination, source, [protocol]}

There is no point in talking about "optional protocol". You MUST check
the protocol anyway, as you are ALWAYS looking either AH or ESP.

If you have AH header at hand, and look for SA using SPI only, it is
not very helpful, if you find ESP SA. Multicast does not change this
in any way.


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec