Re: out-of-band key management is like virtual circuits

[Ran Atkinson <rja@bodhi.itd.nrl.navy.mil>]

Dan,

  I find your analogy to be highly misleading.  I strongly disagree
with your assertion that in-band key mgmt is better for a datagram
network.  All of the capability that you assert is unique to in-band
can be done by simply sending key mgmt packets at the same time one
sends the datagrams.  Since SAIDs are receiver-oriented, a sender can't
force a key upon the receiver without the receiver's involvement in
any case.  If we remove that receiver-orientation, then IP multicasting
will not work well with security (and multicasting is a 1st order
service of IPv6).

  Out of band keying does NOT mean "on average, very poor performance".
Your assertion just is not true.

  We should continue to avoid coupling key mgmt and the security
mechanisms and hence should continue to avoid in-band key mgmt in
standards-track specifications within the IETF.

Ran
atkinson@itd.nrl.navy.mil

---

Follow-Ups:

• Re: (IPng) Re: out-of-band key management is like virtual circuits
• From: bound@zk3.dec.com

References:

• out-of-band key management is like virtual circuits
• From: Danny.Nessett@eng.sun.com (Dan Nessett)

---

• Prev by Date: Re: (IPng) out-of-band key management is like virtual circuits
• Next by Date: Re: out-of-band key management is like virtual circuits
• Prev by thread: Re: (IPng) out-of-band key management is like virtual circuits
• Next by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
• Index(es):
  • Main
  • Thread