[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG last call for IPv4 AH and ESP
Dan,
For that particular case (intermediate router sending an ICMP
message and desiring to authenticate the ICMP message back to the
sender), if a Security Association does not exist the router
could sign it using its private key that is associated with its
Eastlake-Kaufman signed public key available from the DNS and
an RSA signature. This scales as well as the DNS and hence
as well as the Internet as a whole.
This tends to confirm my prior existing belief that a non-mandatory,
but openly specified RSA Signature type should be defined for
use with AH. I have not created such a type yet for lack of time,
but would be happy to include one as a non-mandatory to implement
"Appendix B" in my IPv6 AH draft if someone supplied a spec that would
be implementable using RSAREF.
So I still do not believe that in-band key management is either
necessary or desirable in this case.
Regards,
Ran
atkinson@itd.nrl.navy.mil
References: