[MSEC] shared SA w/ automatic keying

[Michael Noisternig <mnoist at cosy.sbg.ac.at>]

Hi all,

the IPsec SA/SP management framework supports SAs shared among multiple 
devices (for unicast communication). This is probably frequently done 
when keys are set up manually. Because of this sharing, IKE cannot be 
used for automatic keying. However, also GKM protocols cannot be used 
since the SPI (selected by the GCKS) may conflict with current SPIs. 
(SAs for unicast packets are looked up using the SPI solely. A 
distinguisher like a multicast dst. address as in msec-ipsec-extensions 
is not at hand.)

It seems that SA sharing is not compatible with automatic keying (or at 
least, automatic SPI selection); however, I could not find any statement 
on this in the ipsec/msec documents.

Of course, a question is why you would want to do SA sharing. (a) One 
point is connection state overhead. (b) Another may be unidirectional 
links. Consider this (contrived) scenario:

       A (GCKS)
      ^ ^
     /   \
    v     v
    B---->C

A can communicate bidirectionally with B and C, but C cannot send data 
to B. Therefore, B and C cannot negotiate keys; however, C may receive 
shared keys from A (which could be the GCKS in addition to a normal 
group member).

Not sure if (b) would happen in real world, but (a) may.

What is your opinion on this issue?

Thanks for any answers,
Michael
_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec