Steve,
At 05:54 PM 7/12/2002 -0400, Stephen Kent wrote:Mark,
I don't understand the distinction between static and dynamic SAs. Is the distinction between a single-sender multicast SA versus a multi-sender multicast SA?
I think that it is a more robust solution to identify the multicast SA using the source address as well as the SPI and destination address. This is what many of us who worked in smug thought we would do with MESP. Now that Steve is addressing multicast in ESP and AH, it's not clear to me how msec should proceed with MESP.
There is a big distinction between single and multi-sender SAs, as we have discussed. One cannot make use of anti-replay for a multi-sender SA, unless we seriously change the model and I explained in my message to Bill why I don't think that's a reasonable change to pursue.
I think I understand your rationale. We should at least document the fact that it may be necessary to identify the multicast ESP SA using the triple <source, destination, SPI> for source-specific multicast - for some applications. I think Bill and Radia's previous comments to this thread explain why. If all sources to a multicast address use the same group key controller, then I don't see a problem. If some sources to a multicast address use distinct group key controllers (e.g., each source acts as its own controller), then there is the potential for SPI collisions and means must be invented to handle these collisions.
Mark