ietf
[Top] [All Lists]

Re: Multicast with VPN

2001-04-05 21:30:03
At 03:58 04/04/01, dark dark wrote:
hi,
Does any one have any idea if we can use IPSec with
multicast address. 

        Where "IPsec" means "AH" and/or "ESP",
the answer is quite clearly yes and always has been.

In RFC-2401 I have read 
"In principle, the Destination Address may be a
unicast address, an IP broadcast address, or a
multicast group address." 

        More strongly phrased, the reason that the
combination of "Destination Address" (rather than,
for example, "Source Address) and SPI uniquely
identifies an IPsec Security Association is so
that ESP/AH can fully support IP multicasting.  Far
from being an accident, this was a quite deliberate
design decision dating back more than 5 years now.

        One has been able to use ESP/AH to protect
IP multicast sessions for some time.  For example,
I was using it in a limited way circa Fall 1995.
The challenge is that manual configuration of any
IPsec Security Association is operationally challenging
and scales remarkably poorly.  The primary gain in
dynamic SA management is improved scaling and reduced
operational burden.

"However, IPsec SA management mechanisms currently are 
defined only for unicast SAs." 
they have explained how to use multicast address in
IPSec SA, in principle, but this RFC was published in 1998. 

        Where "IPsec SA management mechanisms" means
"key management mechanisms for ESP/AH", the cited
text is merely noting that in 1998 the IETF had not
(at that time) standardised any key management mechanism 
for multicast Security Associations.

        The Secure Multicast Research Group (SMUG) of
the IRTF has been examining multicast key management
for some time now.  Some work originating within SMUG
is now appearing in the Multicast Security (MSEC) Working 
Group of the IETF.  Folks interested in this topic ought to
look into (and perhaps participate in) the MSEC WG.

IMHO

Ran
rja(_at_)inet(_dot_)org



<Prev in Thread] Current Thread [Next in Thread>