Re: Re[2]: Granularity of authentication in swIPe

["Perry E. Metzger" <perry@imsi.com>]

"Housley, Russ" says:
> I see you contradicting yourself.  Perhaps I am misunderstanding you.
> 
> On one hand, you say that you want to keep the SAID small.  You suggest 16 
> bits.  On the other hand, you want add sequence numbers for a faciltiy 
> which you claim is not "bulletproof."

Why is this a contradiction? I don't understand. Could you explain
your point at more length?

> Also, I think that the SAID structure must support IP broadcast and IP 
> multicast. For this reason, I want a larger SAID (say, 32 bits for 
> compatabiltiy with the IEEE 802.10 Secure Data Exchange and Key Management 
> Protocol).  Management of broadcast and multicast keys within the Internet 
> will require a large pool of SAIDs.

I'm not sure that this is a problem. swIPe policies are associated
with address pairs, and broadcast addresses and multicast addresses
are parts of address pairs just as normal ones are. I doubt that a
given single host might have more than 64000 simultaneous keys in use
with a given multicast or broadcast address. I think that Steve Kent's
argument that a pair of tunnel hosts might want to allocate a policy
for each underlying encapsulated policy is a big stronger than this
rationale for larger policy identifier fields.

Perry

BTW, is "spyrus.com" the same Spyrus that makes the SCSI based reader
for Tessera cards?

---

References:

• Re[2]: Granularity of authentication in swIPe
• From: "Housley, Russ" <housley@spyrus.com>

---

• Prev by Date: Re[2]: Granularity of authentication in swIPe
• Next by Date: Re: swIPe comments
• Prev by thread: Re[2]: Granularity of authentication in swIPe
• Next by thread: Re: Re[2]: Granularity of authentication in swIPe
• Index(es):
  • Main
  • Thread