[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: out-of-band key management is like virtual circuits

To: atkinson@itd.nrl.navy.mil
Subject: Re: out-of-band key management is like virtual circuits
From: Danny.Nessett@eng.sun.com (Dan Nessett)
Date: Fri, 24 Feb 1995 09:49:18 -0800
Cc: ipng@sunroof2.eng.sun.com, ipsec@ans.net

Ran,

Your point :

>  All of the capability that you assert is unique to in-band
>  can be done by simply sending key mgmt packets at the same time one
>  sends the datagrams.

is somewhat misleading. The key management protocol will require an exchange
between the source and destination in order for the source to obtain the
SAID that it will use in the IP packet, which processing started the whole
process. This induces a considerable delay in delivering the original
IP packet. In-band signalling allows the key management activity to be
"piggy-backed" on the original IP packet, thus saving not only the cost of
processing one or more additional key mgmt IP packets, but also the delay
of at least a two packet exchange (which is actually four packets for
Photuris, i.e., COOKIE_REQUEST, COOKIE_RESPONSE, DH_REQUEST, DH_RESPONSE),
to obtain the SAID.

>  Since SAIDs are receiver-oriented, a sender can't
>  force a key upon the receiver without the receiver's involvement in
>  any case.  If we remove that receiver-orientation, then IP multicasting
>  will not work well with security (and multicasting is a 1st order
>  service of IPv6).

In-band signalling doesn't "force a key upon the receiver without the receiver's
involvement," it just piggy-backs the key management information in the 
original IP packet. The receiver has the option of dropping the packet with
the piggy-backed information, just as it can drop an out-of-band key mgmt
packet.


>    We should continue to avoid coupling key mgmt and the security
>  mechanisms and hence should continue to avoid in-band key mgmt in
>  standards-track specifications within the IETF.

I agree that key mgmt protocols should not be forced to use in-band techniques.
I think all of us (and there have been at least 5 messages from different
people on this list asking for in-band signalling) would like the *option*
of using in-band signalling. Then we can let the market decide which is
the best approach.

Dan

Follow-Ups:

Re: out-of-band key management is like virtual circuits

From: "Perry E. Metzger" <perry@imsi.com>

Re: (IPng) Re: out-of-band key management is like virtual circuits

From: bound@zk3.dec.com

Prev by Date: Re: out-of-band key management is like virtual circuits
Next by Date: Re: out-of-band key management is like virtual circuits
Prev by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Next by thread: Re: out-of-band key management is like virtual circuits
Index(es):
- Main
- Thread