[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Minutes - IETF28
My hand-written notes from the 2nd IPsec meeting indicate that we talked
some about key management protocol algorithms. I thought we had reached rough
consensus on using a hybrid Diffie-Hellman with RSA Key Certificates used
to mitigate against a man-in-the-middle attack for the KMP.
Since this is apparently ambiguous, I'd like to formally suggest that we
use that approach and open discussion on that proposal on this list. If
someone prefers another approach, it would be good to hear about it now.
Does this use of hybrid Diffie-Hellman cause anyone heartburn ? Which
of the existing key mgmt protocols (if any) use this ?
Secondly, I think it would be ideal if the need for key management APIs
were raised with the CAT working group as something that we'd like to
see as an optional extension to their existing Generic Security Services
Application Programming Interfaces (GSS-APIs). They are already dealing
with APIs and our identified need fits neatly with their existing work.
Lastly, after sitting in on a number of different meetings at the IETF,
I was struck by the large amount of progress that could be made soon if
we had an Internet Key Mgmt Protocol (IKMP). There are a fair number of
protocols (e.g. routing protocols, DHCP) that could use keyed MD5 to add
authentication very rapidly once we had a key mgmt protocol. Perhaps it
would be in the best interest of the Internet if we were to concentrate
on that piece first. In looking at my work for SIPP security, it is clear
that because of differences in the protocol design, I'll have to use a
slightly different syntax from IPv4 Security Protocol anyway. However,
it appears likely that I could reuse the IKMP for SIPP as is. Again,
this to me speaks for rearranging our priorities to do the IKMP specification
first. Other thoughts are solicited.
Ran
atkinson@itd.nrl.navy.mil
Follow-Ups: