Yup, that's correct I had not considered multicast. SSM groups would use a 3-tuple SA identifier composed of an SPI, a dest mcast address, and the source IP. An Any-Source Multicast group SA would only require an SPI and a dest mcast identifier. If either of the IPs change, wouldn't the SAD lookup fail?
Cheers, Manav > -----Original Message----- > From: Richard Graveman [mailto:rfgrave...@gmail.com] > Sent: Friday, November 13, 2009 7.07 AM > To: Bhatia, Manav (Manav) > Cc: Daniel Migault; ipsec@ietf.org; Stephen Kent; Kaeo; > mer...@core3.amsl.com > Subject: Re: [IPsec] WESP - Roadmap Ahead > > I think this argument implicitly assumes unicast. > > Rich Graveman > > On Thu, Nov 12, 2009 at 8:18 PM, Bhatia, Manav (Manav) > <manav.bha...@alcatel-lucent.com> wrote: > > Daniel, > > > >> AH is a security feature we need to keep for header authentication > > > > Am really not sure about the value that AH adds even in > case of header authentication. > > > > So what fields does AH protect: > > > > Version, Payload length, Next Header, Source IP and dest IP > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
