[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) Re: out-of-band key management is like virtual circuits
Ashar Aziz says:
> We have serious concerns about being limited to a cached-VC-like model
> with IPSP/IPv6. We anticipate this approach to be problematic on secure
> servers with a large number of clients, and firewalls with a large number
> of remote IP clients.
Under those circumstances, SKIP would display absolutely identical
properties if it was to perform well. You would end up having to cache
lots of keys in the kernel -- unless you were going to do server
lookups on each, with several packet exchanges, which would obviate
all claims of performance advantages.
Now, as for firewalls with large numbers of clients, I have actually
built and operated such firewalls. They all operate with application
level relays which are far heavier weight, statewise, than security
associations could ever be. These firewalls function just fine.
> The cached-security-session approach is even more problematic than
> your typical cached VC situation because of the problem of "half-open-
> connections". This is when one side crashes and loses the shared session
> state. Normally, one can simply blow away half-open connections when
> the side that has crashed detects them. This is not so trivial for a
> security session because this has to be done securely, otherwise
> denial-of-service attacks would be trivial. (Not to say that this can't
> be solved, but this at least presents another complication).
I don't see why its a problem at all. The TCP connections to the dead
machine will vanish on their own. The security associations will
eventually time out and go away. New connections from the rebooted
machine will form new security associations.
> Finally, as they say, the proof is in the pudding. Let's build
> and deploy some of these approaches to gain operational experience.
Thats an excellent suggestion, and one that I heartily approve of.
Perry
References: