[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) out-of-band key management is like virtual circuits
> Any key management protocol will require one or more exchanges to key
> servers. This will induce delay.
On the in-band model, if the long term key is local or cached, no exchange
with the key server is necessary. With out of band, this exchange and
it's delay will always incurred.
> Any connection these days on the net requires an exchange with DNS servers.
> This induces delay.
You can still use the IP address in which case is no DNS lookup. Furthermore,
your DNS server may cache the names/addresses in which case there is no delay,
as well.
> Any key
> management protocol based on public key techniques will require
> significant computation time -- probably more than several packet
> round trips on the current internet. This will induce delay. None of
> these delays can be avoided.
Some of them certainly can be avoided. With in-band keying, caching of
long term keys eliminates exchanges with the key servers for every
connection. In-band keying also eliminates the exchange required for every
connection.
Your argument appears to be: We have so many delays right now, why not
incur more? I don't agree. The public key computation can't
be avoided, but requiring handshakes for packet exchanges certainly can.
By eliminating the structured SAID bit, you are also eliminating a particular
flavor of key management. As I recall, IPSP is supposed to be independent
of key management.
In-band keying should at least be an option.
--tom
Follow-Ups:
References: