[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: Granularity of authentication in swIPe
"Housley, Russ" says:
> I see you contradicting yourself. Perhaps I am misunderstanding you.
>
> On one hand, you say that you want to keep the SAID small. You suggest 16
> bits. On the other hand, you want add sequence numbers for a faciltiy
> which you claim is not "bulletproof."
Why is this a contradiction? I don't understand. Could you explain
your point at more length?
> Also, I think that the SAID structure must support IP broadcast and IP
> multicast. For this reason, I want a larger SAID (say, 32 bits for
> compatabiltiy with the IEEE 802.10 Secure Data Exchange and Key Management
> Protocol). Management of broadcast and multicast keys within the Internet
> will require a large pool of SAIDs.
I'm not sure that this is a problem. swIPe policies are associated
with address pairs, and broadcast addresses and multicast addresses
are parts of address pairs just as normal ones are. I doubt that a
given single host might have more than 64000 simultaneous keys in use
with a given multicast or broadcast address. I think that Steve Kent's
argument that a pair of tunnel hosts might want to allocate a policy
for each underlying encapsulated policy is a big stronger than this
rationale for larger policy identifier fields.
Perry
BTW, is "spyrus.com" the same Spyrus that makes the SCSI based reader
for Tessera cards?
References: