[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modular approach to key management 11/08/94 19
______________________________ Reply Separator _________________________________
Subject: Modular approach to key management 11/08/94 19:22:
Author: "Juan A. Garay ((914) 784-6852)" <garay@watson.ibm.com> at internet
Date: 11/9/94 5:26 PM
Reference: Your note of Tue, 08 Nov 94 19:22:22
First, Juan A. Garay Said:
Our proposal doesn't force a user to use the "lower" module, thru
which short-lived keys are derived . However, distributing keys thru
the means mentioned above is more expensive, and we believe ipsec has
to provide a more modular and efficient option. Our proposal
accommodates this situation.
I replied:
But, the proposal suggests that we start by standardizing the lower
module. In my opinion, the upper module is the one that needs our
attention. The upper module is the one that uses key
distribution centers, certificate-based key management, or manual
key management.
Then Juan said:
we are not proposing to forget about the upper module but, rather,
follow a "first things first" approach. We believe that there are
*very* convincing reasons (security and efficiency - need for
frequent key updates; deployment and interoperability - support the
variety of existing key distribution technologies. and it's
fundamental to have a common module!; methodological; etc.) to do
the lower module first and get us going.
My reply to this:
For IPSP to be widely deployed, automated key management is required. By
postponing the definition of KDC or certificate-based key management to
establish traffic encryption keys, then the "lower module" is forced to use
a manual approach. While manual key management has its uses, I do not
think that manual key management will facilitate the deployment of IPSP in
the Internet.
In the IEEE 802.10c Key Management Protocol, all three forms of key
management are supported: KDC, certificate-based, and manual. Each of
these techniques can be used to establish a traffic encryption key, then a
common attribute negotiation technique is used. I think that IPSEC can
adopt all of this work with minimal adaption to the Internet. By starting
with IEEE 802.10c, the "upper module" is nearly complete. All that remains
is to define the syntax for negotiation of IPSP attributes.
In my opinion, IEEE 802.10c offers the shortest time to market solution for
IPSP key management.
Russ
Follow-Ups: