[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: reserving some SAIDs




"Housley, Russ" says:
> 
> Perry:
> 
> > The model, as I understood it originally, was that SAIDs were 
> > assigned by the receiver in any way the receiver saw fit. Is
> > there a really good reason to abandon this?
> 
> On the contrary, there is a really good reason to keep it the way that it 
> is.  If you look at the draft IEEE 802.10c key management protocol, you 
> will see that each party tells the other party what SAID it has assigned to 
> the security association.  This is simple and straightforward.

Its also more or less the model we were following.

> There is no reason why both ends need to use the same SAID for the
> security association, but they do need to know the SAID that each
> other has assigned.

I fully agree -- in fact, I believe the assumption always was that
SAIDs were one-way constructs and that any SA would involve two of
them, which would typically not be the same.

I am not certain that there is much of a point in the schemes that are
being thought of to allow IPSP traffic with no previous communication
(except in cases of manual key management).  Little previous
negotiation makes enormous sense to me, but I don't really understand
why one or two IP packets before communicating would necessarily be a
horrible thing. They would also permit the Karn "magic cookie" trick
to prevent denial of service attacks, which I think is a big win. I've
really yet to be convinced by the current discussion that we need
reserved, preassigned SAIDs...

Perry



References: