[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: out-of-band key management is like virtual circuits

To: perry@imsi.com
Subject: Re: (IPng) Re: out-of-band key management is like virtual circuits
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Sun, 26 Feb 1995 14:58:29 -0800
Cc: ipng@sunroof.eng.sun.com, ipsec@ans.net


> From perry@imsi.com Fri Feb 24 15:15 PST 1995
> Under those circumstances, SKIP would display absolutely identical
> properties if it was to perform well. You would end up having to cache
> lots of keys in the kernel -- unless you were going to do server
> lookups on each, with several packet exchanges, which would obviate
> all claims of performance advantages.

Perry,

As I just explained in an earlier message to Carl, SKIP caching is quite 
different from caching stateful connections. It is very session-less,
and with the right implementation, one can almost completely hide the
overhead of expensive public-key operations; this cannot be achieved
by caching traditional secure sessions.

> Now, as for firewalls with large numbers of clients, I have actually
> built and operated such firewalls. They all operate with application
> level relays which are far heavier weight, statewise, than security
> associations could ever be. These firewalls function just fine.

We have several firewalls in-house as well. However, these firewalls
with  application-layer relays have never been used to establish
entire virtual enterprises over a public net like the Internet. They
typically give you a handful of Internet services, and connectivity
through them is not as seamless as on a private net. I don't believe
that to date, very large scale virtual enterprises have been built 
using the kind of firewall you are referring to (though I am open
to correction).

> > Normally, one can simply blow away half-open connections when 
> > the side that has crashed detects them. This is not so trivial for a 
> > security session because this has to be done securely, otherwise 
> > denial-of-service attacks would be trivial. (Not to say that this can't 
> > be solved, but this at least presents another complication).
> 
> I don't see why its a problem at all. The TCP connections to the dead
> machine will vanish on their own. The security associations will
> eventually time out and go away. New connections from the rebooted
> machine will form new security associations.

Yes, but we are not talking about a security protocol just for TCP.
We are talking about a security protocol for IP, and TCP is not the 
only thing that runs over IP. In particular, secure sessions running
underneath session-less protocols (e.g. UDP based apps) will not time out
and vanish. (As it so happens, the encrypted video demo using Sun's ShowMe 
application that I gave at the San Jose IETF is one such application.)

Regards,
Ashar.

Follow-Ups:

Re: (IPng) Re: out-of-band key management is like virtual circuits

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: (IPng) Proposed Standard or no?
Next by Date: Re: (IPng) Re: out-of-band key management is like virtual circuits
Prev by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Next by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Index(es):
- Main
- Thread