Yup, that's correct I had not considered multicast. SSM groups would use a 3-tuple SA identifier composed of an SPI, a dest mcast address, and the source IP. An Any-Source Multicast group SA would only require an SPI and a dest mcast identifier. If either of the IPs change, wouldn't the SAD lookup fail?
Cheers, Manav > -----Original Message----- > From: Richard Graveman [mailto:[email protected]] > Sent: Friday, November 13, 2009 7.07 AM > To: Bhatia, Manav (Manav) > Cc: Daniel Migault; [email protected]; Stephen Kent; Kaeo; > [email protected] > Subject: Re: [IPsec] WESP - Roadmap Ahead > > I think this argument implicitly assumes unicast. > > Rich Graveman > > On Thu, Nov 12, 2009 at 8:18 PM, Bhatia, Manav (Manav) > <[email protected]> wrote: > > Daniel, > > > >> AH is a security feature we need to keep for header authentication > > > > Am really not sure about the value that AH adds even in > case of header authentication. > > > > So what fields does AH protect: > > > > Version, Payload length, Next Header, Source IP and dest IP > > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
