[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual circuits


Ashar Aziz says:
> 
> > From ipsec-request@ans.net Fri Feb 24 13:45 PST 1995
> > As soon as you have structured SAIDs, you have to start throwing lots
> > of complexity into your kernel -- the kernel must not just have hooks
> > for key negotiation but has to keep tables of key negotiation types
> > and be an active participant in the key negotiation process. We are
> > going to have to start having IANA handing out SAID ranges and the
> > like. Furthermore, we've just conflated the layers -- something people
> > keep accusing me of doing.  I haven't even plotted out all the
> > complexities yet. It certainly causes me to have to toss out user
> > level key management stuff, which I don't like.
> 
> Our key-management (with structured SAIDs) *is* in fact done
> in user space. The difference is that one uses the encrypted
> key to aid in the lookup process in the kernel, and is in fact
> quite similar to doing a lookup based on a key-id or a SAID from
> an implementation perspective.

You have to have upcalls from your kernel to deal with structured
SAIDs, and you have to deal with different types of these structured
SAIDs -- of course, you've only implemented the ones for SKIP, but
what happens when someone else wants to use these structured SAIDs for
some purpose? At which point, of course, the kernel has to distinguish
between them and start building a switch table to decide where to do
the upcall to. Of course it all can be done -- but its more
complex. Its also less modular. Without this stuff, you can replace
key management without any kernel manipulation at all.

Perry