[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) Re: out-of-band key management is like virtual circuits
> From ipsec-request@ans.net Fri Feb 24 14:12 PST 1995
> bound@zk3.dec.com says:
> > I highly suggest to the chairs to get with Ran offline and fix this if
> > he continues to pursue this course. He should have to justify why
> > Dannys claims will not benefit a draft under this groups charter as of
> > right now just like the rest of the drafts must do this. This is just
> > the wrong thing to do.
>
> "Danny's" suggestion is in fact Ashar Aziz's suggestion, as you would
> know if you were on the ipsec list which you feel you don't have to be
> on. However, Ashar isn't claiming it has anything to do with
> performance per se -- he wants it to make his life easier in promoting
> a particular key management system called SKIP, which was designed
> with in-band in mind.
Perry,
I have raised performance issues in the past (in fact you and I had that
exchange). There are situations where you dont want to have to go through
the overhead of establishing a session when all you want to do is send a
few IP packets (e.g net mgmt, ICMP etc.). You suggested one could do this
with cached security-connections, whereas I responded that this doesn't
work well for servers, net managers or routers that may need to reach a
very large destination set, because all of these connections would have
to be re-established in case of crash/reboot scenarios.
Regards,
Ashar.
Follow-Ups: