[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

just to be clear...

To: ipsec@ans.net
Subject: just to be clear...
From: perry@imsi.com (Perry E. Metzger)
Date: Tue, 2 Aug 94 14:22:59 EDT
Reply-To: perry@imsi.com

Just to be clear, the limit of the negotiation I'm envisioning is
something on the order of complexity of:

requester sends UDP (or similar) packet saying: I can handle this list
of security transformations, and I can handle this list of key
management protocols. (Implicitly, this is a request to initialize a
new SAID.)

responder sends UDP packet saying: lets use this transformation, and
this key management system. (Possibly the responder notes what SAID it
has assigned at this point -- possibly not.)

This is just a straw man, understand, but its about the limit of what
I believe will be needed. One doesn't need something complicated, but
we are far too constrained without such an exchange taking place at
all.

Perhaps the transform and key management lists should not be in the
same packet. Perhaps the SAID comes back in the response, perhaps not.
Perhaps a responder initiated version is needed, too. Perhaps
information needed to build bi-directional SAs need to be passed --
what I've mentioned has no such data yet, and doesn't provide other
needed information.  I'm not proposing anything specific yet. I'm just
arguing we need such a layer, but that it need not be complex.

Perry

Prev by Date: Re: SIPP and SKIP. 2 subjects.
Next by Date: Re: SIPP and SKIP. 2 subjects.
Prev by thread: Re: Thoughts...
Next by thread: IVs
Index(es):
- Main
- Thread