Re: Re[2]: Granularity of authentication in swIPe

[Phil Karn <karn@qualcomm.com>]

>Also, I think that the SAID structure must support IP broadcast and IP 
>multicast. For this reason, I want a larger SAID (say, 32 bits for 
>compatabiltiy with the IEEE 802.10 Secure Data Exchange and Key Management 
>Protocol).  Management of broadcast and multicast keys within the Internet 
>will require a large pool of SAIDs.

As I think Perry already said, SAIDs logically include the IP
addresses.  They're just like TCP sockets - each connection is
uniquely identified by the concatentation of the IP addresses and port
numbers, which means you need many fewer port numbers than you
otherwise would if everything was identified solely by port number.

As an aside I just don't see any easy way to support multicast in IPSP
that doesn't require a public key operation for each packet. Much of
the utility of IPSP comes from setting up a session key using a fairly
expensive key exchange protocol that is run only once for some fairly
large number of packets. But I don't see any easy way to do this for
multicast.

I can see putting in hooks for multicast, but it's hard to see how
they could be really useful given the current costs of even a public
RSA operation.

Phil

---

Follow-Ups:

• Re: Re[2]: Granularity of authentication in swIPe
• From: Steve Kent <kent@BBN.COM>

References:

• Re[2]: Granularity of authentication in swIPe
• From: "Housley, Russ" <housley@spyrus.com>

---

• Prev by Date: Re: Re[2]: Granularity of authentication in swIPe
• Next by Date: Re: Granularity of authentication in swIPe
• Prev by thread: Re: Re[2]: Granularity of authentication in swIPe
• Next by thread: Re: Re[2]: Granularity of authentication in swIPe
• Index(es):
  • Main
  • Thread