[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

out-of-band key management is like virtual circuits

To: ipng@sunroof2.eng.sun.com, ipsec@ans.net
Subject: out-of-band key management is like virtual circuits
From: Danny.Nessett@eng.sun.com (Dan Nessett)
Date: Fri, 24 Feb 1995 08:39:28 -0800

Folks,

I think it might be useful to approach the in-band/out-of-band key management
issue from another perspective. Out-of-band management assumes either that
a synchronized security assocation already exists between the source and
destination hosts or that when an IP packet is processed, the key management
software is called to establish this context. Those familiar with X.25 will
recognize this as a virtual circuit model of operation. In fact I think it
is a fair characterization that out-of-band key management imposes a
"security virtual circuit" model on IP security (both IPv4 and IPv6).

In-band key management, on the other hand, is philosophically similar to
dynamic connection management, which is the technique employed by TCP.
When a connection is required, information is included within the TCP
header (e.g., syn flag, isn) to allow the construction of a connection
record at the destination. Similarly, the destination returns information
(syn ack, its isn), to allow the source to complete the construction of
its connection record.

An important point that some may have overlooked is that the current draft of
the IPv6 security Architecture I-D (I couldn't find an security architecture I-D
for IPv4) encourages the use of user-to-user keying (by specifying that
implementations MUST support user-to-user keying, but only MAY provide
for host-to-host keying), rather than host-to-host keying. The implication
is that everytime a new *user* communicates to a specific machine, the
key management software will be required to establish a new security
association. If out-of-band keying is used, this is going to mean, on
average, very poor performance, since the key management protocol must
use a separate communications stream to establish the keys for use before
communications on the stream originating the key management activity
can proceed.

It is for these reasons, among others, that in-band signalling should be
supported by both final IPSEC Proposed Standards and by the IPv6 Proposed
Standards for security.

Dan

Follow-Ups:

Re: (IPng) out-of-band key management is like virtual circuits

From: "Perry E. Metzger" <perry@imsi.com>

Re: out-of-band key management is like virtual circuits

From: Ran Atkinson <rja@bodhi.itd.nrl.navy.mil>

Prev by Date: Re: "in-band" is wrong idea/terminology
Next by Date: Re: (IPng) out-of-band key management is like virtual circuits
Prev by thread: I-D ACTION:draft-simpson-icmp-domain-name-00.txt
Next by thread: Re: (IPng) out-of-band key management is like virtual circuits
Index(es):
- Main
- Thread