[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual circuits



Look folks lets slow down here and go back to basic protocol of 1993
#101.  You can gain performance in networks in various manners.  Like
reducing memory copies, avoiding fine granular timers, and piggybacking
data and even packets.  The in-band approach can possibly increase
performance becuase of the latter strictly from a pure packet throughput
and avoidance of signing the key out-of-band data which is going to cost
extra.  The cost is the extra communications to establish the user to
user key.   It appears to me in-band data with the users key can avoid
that extra communications.  

The other basic is why cannot we have it as an option.  How many of you
have tested Rans architecture in your code?  The Digital team has.  And
it will be very costly to your end systems.  If Danny's idea can or may
give us a performance gain then why not permit it as an option.  I can't
commit but maybe we will build it and test it in our implementation of
IPv6.

How can a group who could not even come to a bake-off to test what is to
be a proposed standard be so all fired up to say that this will not
improve security performance when they themselves it appears are also
dealing completely in theory, abstractions, and some historical
evidence.  

I am also reading Dannys mail as I write this and I honestly did not
get the same impressions from Dannys mail as Perry did.  What I got was
an engineer who knows a hell of a lot about security giving us another
technical perspective. One that raises questions about our present
Security draft.  I will not be "railroaded" into not listening to his
suggestion and data.

In addition its completely in line with my input to Ran on the issue of
Key Mgmt and the Security architecture and how a particular MUST is
worded.  In fact this is a good LAST CALL I don't like this argument to
the IESG if necessary.

Look this whole area of key mgmt has lots of people outside of the IETF
worried that we have not figured this out.  Also I still await response
from Ran on my issue of this being widely deployed but the specs say
theY want to make MUST that which will not be widely deployed.

/jim



Follow-Ups: References: