Re: Granularity of authentication in swIPe

[Phil Karn <karn@qualcomm.com>]

Steve,

I fully agree that the SAID is used to select previously negotiated
options on a host-pair basis. So given that you can negotiate at key
exchange time a much wider range of possible options than may be
needed at any moment is it really necessary to have such a large SAID
field?  Can you show examples of situations where more than O(256)
such associations are really necessary?

Because the SAID is one of the few items in the IPSEC header that
really does have to have a standard format (since it's used to index
the stuff that is negotiable on a host-pair basis) it's important that
we find a format that can satisfy everybody if we're going to have an
interoperable standard.

I doubt that most of my applications (the wireless type, anyway) will
need more than one or two SAID values at any moment, and given the
cost of my links I *really* don't want to spend even an extra byte of
overhead unless I have to. But if you really want more than 1 byte,
then I don't see much of an alternative to a variable length field,
even though that will make the high-speed guys complain.

Comments?

Phil

---

Follow-Ups:

• Re: Granularity of authentication in swIPe
• From: Steve Kent <kent@BBN.COM>
• Re: Granularity of authentication in swIPe
• From: Brad Huntting <huntting@glarp.com>

References:

• Re: Granularity of authentication in swIPe
• From: Steve Kent <kent@BBN.COM>

---

• Prev by Date: SKIP (a key-management proposal)
• Next by Date: Re: Granularity of authentication in swIPe
• Prev by thread: Re: Granularity of authentication in swIPe
• Next by thread: Re: Granularity of authentication in swIPe
• Index(es):
  • Main
  • Thread