[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) out-of-band key management is like virtual circuits
Tom Markson says:
> Your argument appears to be: We have so many delays right now, why not
> incur more?
No. My argument is "when you have figures demonstrating that there is
a performance problem, please call back."
I suspect that, with association caching and the like, the overall
latency added by key handshakes will not be measurable. Others claim
its going to be intolerable. There is an easy way to prove this one
way or another, isn't there?
>I don't agree. The public key computation can't
> be avoided, but requiring handshakes for packet exchanges certainly can.
I keep hearing Hugo asking for MORE handshakes to make sure that
there are no holes in the authentication.
> By eliminating the structured SAID bit, you are also eliminating a particular
> flavor of key management. As I recall, IPSP is supposed to be independent
> of key management.
As soon as you have structured SAIDs, you have to start throwing lots
of complexity into your kernel -- the kernel must not just have hooks
for key negotiation but has to keep tables of key negotiation types
and be an active participant in the key negotiation process. We are
going to have to start having IANA handing out SAID ranges and the
like. Furthermore, we've just conflated the layers -- something people
keep accusing me of doing. I haven't even plotted out all the
complexities yet. It certainly causes me to have to toss out user
level key management stuff, which I don't like.
Perry
References: