[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: out-of-band key management is like virtual circuits

To: ashar@osmosys.incog.com (Ashar Aziz)
Subject: Re: (IPng) Re: out-of-band key management is like virtual circuits
From: Carl Muckenhirn <cfm@columbia.sparta.com>
Date: Fri, 24 Feb 95 18:37:19 -0500
Cc: bound@zk3.dec.com, perry@imsi.com, ipng@sunroof.eng.sun.com, ipsec@ans.net, cfm@columbia.sparta.com
In-Reply-To: Your message of "Fri, 24 Feb 95 14:28:29 PST." <9502242228.AA01003@miraj.>


In message <9502242228.AA01003@miraj.>  you wrote:
> 
> > From ipsec-request@ans.net Fri Feb 24 14:12 PST 1995
> > bound@zk3.dec.com says:
> > > I highly suggest to the chairs to get with Ran offline and fix this if
> > > he continues to pursue this course.  He should have to justify why
> > > Dannys claims will not benefit a draft under this groups charter as of
> > > right now just like the rest of the drafts must do this.  This is just
> > > the wrong thing to do.  
> > 
> > "Danny's" suggestion is in fact Ashar Aziz's suggestion, as you would
> > know if you were on the ipsec list which you feel you don't have to be
> > on. However, Ashar isn't claiming it has anything to do with
> > performance per se -- he wants it to make his life easier in promoting
> > a particular key management system called SKIP, which was designed
> > with in-band in mind.
> 
> Perry,
> 
> I have raised  performance issues in the past (in fact you and I had that
> exchange). There are situations where you dont want to have to go through 
> the overhead of establishing a session when all you want to do is send a 
> few IP packets (e.g net mgmt, ICMP etc.). You suggested one could do this 
> with cached security-connections, whereas I responded that this doesn't 
> work well for servers, net managers or routers that may need to reach a 
> very large destination set, because all of these connections would have 
> to be re-established in case of crash/reboot scenarios.
> 
> Regards,
> Ashar.

Even with SKIP, there is some state kept around somewhere, maybe in the DNS
(more messages), but it has to exist. In the case of crashes/reboot, you have
to "re-establish" the context of all of those connections eventually anyways
(not TCP connections per-se, but connections nevertheless). No one has said
that the re-establishment was a synchronous event, just bring them back when
you need them, you'll need them again in most cases.

carl.

References:

Re: (IPng) Re: out-of-band key management is like virtual circuits

From: ashar@osmosys.incog.com (Ashar Aziz)

Prev by Date: Re: (IPng) Re: out-of-band key management is like virtual circuits
Next by Date: connections these days
Prev by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Next by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Index(es):
- Main
- Thread