[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Re: [ssm] SSM with IPSec

To: Toerless Eckert <eckert@cisco.com>
Subject: Re: Re: Re: [ssm] SSM with IPSec
From: Mark Baugher <mbaugher@cisco.com>
Date: Wed, 15 Jan 2003 14:28:20 -0800
Cc: holbrook@cisco.com, Toerless Eckert <eckert@cisco.com>, Brad Huntting <huntting@glarp.com>, ssm@ietf.org, Brian Weis <bew@cisco.com>
In-Reply-To: <20030115220817.GA23021@cypher.cisco.com>
List-Help: <mailto:ssm-request@ietf.org?subject=help>
List-Id: Source-Specific Multicast <ssm.ietf.org>
List-Post: <mailto:ssm@ietf.org>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ssm>,<mailto:ssm-request@ietf.org?subject=subscribe>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ssm>,<mailto:ssm-request@ietf.org?subject=unsubscribe>
References: <5.1.1.5.2.20030115123146.021e95a8@mira-sjc5-6.cisco.com><20030115171137.GK2103@cypher.cisco.com><5.1.1.5.2.20030115123146.021e95a8@mira-sjc5-6.cisco.com>

Toerless,

At 02:08 PM 1/15/2003 -0800, Toerless Eckert wrote:
>Ok, thanks for the insight. One issue is still that the solution
>needs to support the two cases:
>
>    - independent security associations for (S1,G) and (S2,G) if
>      G is an SSM group, because (S1,G) and (S2,G) don't necessarily
>      have a connection.
>    - same security association for (S1,G) and (S2,G) if G is an ASM
>      group.
>
>Now how to determine what kind of security association is needed,
>i don't know. Probably it would be a good thing if that could be determined
>somewhat application specific, but not necessarily requiring the IPsec
>framework to know the distinction between ASM/SSM.

When the security association is pushed down to the member by key 
management, there will need to be a flag that declares whether it is 
indexed with the source address (SSM) or not (ASM), i.e. whether multiple 
sources will share that SA.  We might be able to leave it at this level 
without explicitly declaring it to be ASM or SSM to IPsec.  In fact, this 
would allow ASM groups to be indexed by source address (a separate SA for 
each sender) or SSM to not be indexed by source address (one SA for 
multiple channels).  Whether this makes sense or not is a matter of policy 
that is implemented in the key server.

Mark

>Cheers
>         Toerless

_______________________________________________
ssm mailing list
ssm@ietf.org
https://www1.ietf.org/mailman/listinfo/ssm

Follow-Ups:
- Re: Re: Re: [ssm] SSM with IPSec
  - From: Toerless Eckert <eckert@cisco.com>

References:
- Re: Re: Re: [ssm] SSM with IPSec
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: Re: [ssm] SSM with IPSec
  - From: Toerless Eckert <eckert@cisco.com>
- Re: Re: Re: [ssm] SSM with IPSec
  - From: Toerless Eckert <eckert@cisco.com>

Prev by Date: Re: Re: Re: [ssm] SSM with IPSec
Next by Date: RE: [ssm] Re: last call comments on ssm-arch doc
Prev by thread: Re: Re: Re: [ssm] SSM with IPSec
Next by thread: Re: Re: Re: [ssm] SSM with IPSec
Index(es):
- Date
- Thread