Re[2]: On SKIP and non-interactive key management

["Housley, Russ" <housley@spyrus.com>]

Ashar:

>>* The transmission of algorithm identifiers and possibly other security 
>>attributes with each packet adds to the overhead even if these values are 
>>most of the time fixed for a pair of nodes.
>
>Of course, this kind of argument can be made against an IP header 
>as well. One can end up arguing in favor of a connection oriented 
>network protocol like X.25 instead of IP, with this line of 
>argument. (And precisely some of these arguments were made
>by X.25 proponents).

The SAID should be used to indirectly tell which algorithms and modes are being 
used.  In a sence, the agreement of a key between two parties is the 
establishment of a connection, only we call it a security association.


>>* The attractive notion of unstructured SAIDs that are decided by the local 
>>implementation and transmitted to the other party is lost here. Only 
>>structured, standardized SAIDs make sense.
>
>What is attractive about unstructured SAIDs? I realize the need
>for IPSP to allow all kinds of key-management, and hence unstructured 
>SAIDs, but fail to see anything terribly attractive about unstructured 
>SAIDs.
>
>The only thing about SAIDs is that they are decided by a receiving 
>node, and if a receiving node chooses structured SAIDs, and 
>advertises that in advance, what is wrong with that?


I thought that this group agreed on 32 bit SAIDs with the high order bit 
reserved for multicast security associations.  When did the issue 
get reopened?

Russ

---

• Prev by Date: Re: Modular approach to key management
• Next by Date: Re[2]: Modular approach to key management
• Prev by thread: Re: On SKIP and non-interactive key management
• Next by thread: Re[4]: On SKIP and non-interactive key management
• Index(es):
  • Main
  • Thread