[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: Granularity of authentication in swIPe

To: housley@spyrus.com
Subject: Re: Re[2]: Granularity of authentication in swIPe
From: Phil Karn <karn@qualcomm.com>
Date: Fri, 24 Jun 1994 15:59:01 -0700
Cc: ipsec@ans.net
In-Reply-To: <9405237723.AA772395977@uu0892.spyrus.com> (housley@spyrus.com)

>On one hand, you say that you want to keep the SAID small.  You suggest 16 
>bits.  On the other hand, you want add sequence numbers for a faciltiy 
>which you claim is not "bulletproof."

The SAID is an especially sensitive issue with me since it has to be
in every packet.  On the other hand, the use of sequence numbers could
be negotiated on a per-SAID basis, which makes them less objectionable
-- you can turn them off if you want.

My sequence numbers are currently only 16 bits. The idea is that you'd
probably rekey before this wraps around (assuming a dynamic key management
protocol).

I am not trying to solve every conceivable problem with IPSP. That's
how things like OSI come about. The Internet approach has always been
to try first to solve 95% of the problems with only 5% of the
effort. Then after we get some real world experience we can decide if
the remaining 5% are worth solving, or whether they are even real or
not.

Phil

Follow-Ups:

Re: Re[2]: Granularity of authentication in swIPe

From: Hilarie Orman <ho@cs.arizona.edu>

References:

Re[2]: Granularity of authentication in swIPe

From: "Housley, Russ" <housley@spyrus.com>

Prev by Date: Re: swIPe comments
Next by Date: Re: Re[2]: Granularity of authentication in swIPe
Prev by thread: Re: Re[2]: Granularity of authentication in swIPe
Next by thread: Re: Re[2]: Granularity of authentication in swIPe
Index(es):
- Main
- Thread