[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SIPP and SKIP. 2 subjects.

To: kent@BBN.COM
Subject: Re: SIPP and SKIP. 2 subjects.
From: ashar@firstperson.com (Ashar Aziz)
Date: Tue, 2 Aug 94 11:21:25 PDT
Cc: ipsec@ans.net


>From kent@BBN.COM Tue Aug  2 07:47:17 1994
>Ashar,
>
>	I'm a bit confused by the comments about SAIDs being reserved
>to indicate a particular key exchange.  The idea of an SAID is that it
>is selected by the local IPSP entity (IPSPE?) for use as the SOLE
>selector for security transformation processing for incoming packets.

Yes, I understand that this is the model that one uses with SAIDs
and session-oriented key-management. However, this is not the
model that SKIP uses, and I am not sure that the IPSP protocol
should constrain the meaning of the SAID, simply to rule out 
SKIP-like key-management.

The way the SAID would be used with SKIP is that the SAID is
combined with further information  following the SAID
itself (namely the packet encryption key) to determine how to 
perform the security transformation.

This, I believe, is a more general use of SAIDs than the one
you've described above. Certainly, Clause 2 of the 802.10 protocol
permits this style of determining how to perform the security
transformation (using the MDF field which optionally follows the
SAID), and I, for one, would not be happy to see a more restrictive 
model be part of the IPSP description.

In SKIP the security association (as you have described it)
exists by virtue of two pieces of information, one of them is
an implicit key, and another a packet key which is in the
packet.

The SAID is being used merely to determine the mode of processing,
e.g confidentiality, integrity etc, and thereby types the information
following the SAID.

My current encryption-only implementation of SKIP in fact has
no SAID field.

>	Was the focus of this discussion the use of SAIDs for the SA
>negotiation packets?  I don't think we have talked about how the
>packets exchanged for SA negotiation are handled, so far, e.g. what
>protocol ID is appropriate for them, how are they "bypassed" through
>the IPSP layer, etc.

No, this was not what I was referring to. Also, in the SKIP model, 
there is no "bypass" traffic.

Is it your view that this usage of SAIDs is inappropriate? If so,
how would you use the SAID field with SKIP-like key-management?

Ashar.

Follow-Ups:

Re: SIPP and SKIP. 2 subjects.

From: Steve Kent <kent@BBN.COM>

Re: SIPP and SKIP. 2 subjects.

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: SIPP and SKIP. 2 subjects.
Next by Date: just to be clear...
Prev by thread: Re: SIPP and SKIP. 2 subjects.
Next by thread: Re: SIPP and SKIP. 2 subjects.
Index(es):
- Main
- Thread