[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: out-of-band key management is like virtual circuits



Ran,

I still await your response to my concerns in general the way the spec
is written I sent out Monday Feb 20th.

>  I find your analogy to be highly misleading.  I strongly disagree
>with your assertion that in-band key mgmt is better for a datagram
>network.  All of the capability that you assert is unique to in-band
>can be done by simply sending key mgmt packets at the same time one
>sends the datagrams.  Since SAIDs are receiver-oriented, a sender can't
>force a key upon the receiver without the receiver's involvement in

And where are these key mgmt packets in relation to the IPv6 packet?
I can't parse what your thinking here?

So far Danny has not been misleading and its obvious to me?  You have
not convinced me it is misleading, but I am sure Danny will reply too.

>any case.  If we remove that receiver-orientation, then IP multicasting
>will not work well with security (and multicasting is a 1st order
>service of IPv6).

I don't agree with this is at all.  Multicast for system discovery or
autoconfiguration absolutely.  Not for applications.  The bulk of
applications will still use unicast addresses for datagrams at least for
the next 5 years.  

>  Out of band keying does NOT mean "on average, very poor performance".
>Your assertion just is not true.

The assertion is intuitively true.

>  We should continue to avoid coupling key mgmt and the security
>mechanisms and hence should continue to avoid in-band key mgmt in
>standards-track specifications within the IETF.

Better yet we need more people finally like Danny to come to IPNG and
send us a wake up call before we make something a proposed standard that
will cost so much in performance no one will use no matter how much
security they need.

Danny please continue your input on this we needed this kind of drilling
of the security specs.

/jim



References: