[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] shared SA w/ automatic keying

To: Michael Noisternig <mnoist at cosy.sbg.ac.at>
Subject: Re: [MSEC] shared SA w/ automatic keying
From: gmgietf at identaware.com
Date: Mon, 03 Nov 2008 22:14:17 -0500
Cc: msec at ietf.org
Delivered-to: ietfarch-msec-web-archive at core3.amsl.com
Delivered-to: msec at core3.amsl.com
In-reply-to: <490F11E4.5030006 at cosy.sbg.ac.at>
List-archive: <http://www.ietf.org/pipermail/msec>
List-help: <mailto:msec-request@ietf.org?subject=help>
List-id: Multicast Security List <msec.ietf.org>
List-post: <mailto:msec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
References: <490F11E4.5030006 at cosy.sbg.ac.at>
Sender: msec-bounces at ietf.org

Hi Michael,I am not sure that I understand your question. I think you are describing anapplication wherein one unicast IPsec SA is shared by a set of three or moreendpoints. Although this proposed SA resembles a group IPsec SA, in yourscenario the SA is identified only by its SPI, and not using the 2-tuple{destination multicast IP address, SPI}. The SA identifier topic isdiscussed in section 4.1 of RFC4301. It explains how SPI assignments of aGKM are kept independent of the SPI assigned by an IKE subsystem.Perhaps your question could be rephrased to be: how could IKE and a GKMcoordinate their SPI assignments such that IKE does not assign a unicast SPIthat has been allocated by the GKM to a group IPsec SA? or assure that anSPI allocated by the IKE is not used by the GKM?There is no IPsec standardized method to achieve this constraint on unicastSPI assignment. Coordination of IKE and the GKM would require thedistributed management of the SPI identifier space across all key managementsystems (both IKE and GKM) participating in a security domain.

hth,

GeorgeMichael Noisternig writes:

Hi all,the IPsec SA/SP management framework supports SAs shared among multipledevices (for unicast communication). This is probably frequently done whenkeys are set up manually. Because of this sharing, IKE cannot be used forautomatic keying. However, also GKM protocols cannot be used since the SPI(selected by the GCKS) may conflict with current SPIs. (SAs for unicastpackets are looked up using the SPI solely. A distinguisher like amulticast dst. address as in msec-ipsec-extensions is not at hand.)It seems that SA sharing is not compatible with automatic keying (or atleast, automatic SPI selection); however, I could not find any statementon this in the ipsec/msec documents.Of course, a question is why you would want to do SA sharing. (a) Onepoint is connection state overhead. (b) Another may be unidirectionallinks. Consider this (contrived) scenario:
       A (GCKS)
      ^ ^
     /   \
    v     v
B---->CA can communicate bidirectionally with B and C, but C cannot send data toB. Therefore, B and C cannot negotiate keys; however, C may receive sharedkeys from A (which could be the GCKS in addition to a normal groupmember).Not sure if (b) would happen in real world, but (a) may.What is your opinion on this issue?
Thanks for any answers,
Michael
_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec



_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec

Follow-Ups:
- Re: [MSEC] shared SA w/ automatic keying
  - From: Paul Lambert
- Re: [MSEC] shared SA w/ automatic keying
  - From: Michael Noisternig

References:
- [MSEC] shared SA w/ automatic keying
  - From: Michael Noisternig

Prev by Date: [MSEC] shared SA w/ automatic keying
Next by Date: Re: [MSEC] shared SA w/ automatic keying
Previous by thread: [MSEC] shared SA w/ automatic keying
Next by thread: Re: [MSEC] shared SA w/ automatic keying
Index(es):
- Date
- Thread