[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: out-of-band key management is like virtual circuits

To: ipng@sunroof.eng.sun.com, ipsec@ans.net
Subject: Re: (IPng) Re: out-of-band key management is like virtual circuits
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Mon, 27 Feb 1995 13:45:53 -0800

> From: "Perry E. Metzger" <perry@imsi.com>
> A session is a lump of data sitting in memory. It isn't a bunch of
> phone linemen with trucks. Our connections are "virtual"; they are
> just state. From what I can tell, SKIP forces you to cache a bunch of
> data, and other proposals do, too. As soon as you start having to keep
> track of data, you aren't stateless and thats all that
> counts. "Sessions" are a red herring. The question is state, and you
> have it just like all the other proposals. You can't avoid it.

Perry,

I disagree (which by now shouldn't be a surprise). E-mail and
IP are session-less. I can send you IP packets or e-mail regardless
of whether your node is up or down (you may not receive them
but that's a different story). I cannot establish a TCP or
X.25 connection with you if your node is unavailable. 

Now, with SKIP I can establish and change keys, even if your
node is down. With other session oriented key-mgmt schemes
this cannot be done. It is in this sense that SKIP is stateless
and session less and operates essentially like IP. The cache of 
information that SKIP maintains is similarly session less
(as e.g. information about what the remote node's IP address is 
session-less, but per VCI X.25 information is not). SKIP
cached information is good across reboots. 

The information that some of the other key-mgmt protocols maintain 
(e.g. session keys) is not good across reboots. This means public-key 
operations always have to be done after reboots, but with SKIP they 
only have to be done once. These are important distinctions.

> > Yes, but we are not talking about a security protocol just for TCP.
> 
> Thats completely irrelevant. You just put an inactivity timer on your
> SA structures and they clean themselves up. Bit deal.
> 
> ShowMe is a very heavyweight application -- you get data packets from
> it on a constant basis. I would expect, then, that the half-open state
> problem would not be a problem -- a two minute inactivity timer on
> your state would easily handle the problem. 

No, it wouldn't. ShowMe will send video regardless of whether
the remote node is up or down. There will be no inactivity, and so 
the inactivity timer will never go off. 

Regards,
Ashar.

Follow-Ups:

Re: (IPng) Re: out-of-band key management is like virtual circuits

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: (IPng) Proposed Standard or no?
Next by Date: Re: (IPng) Re: out-of-band key management is like virtual circuits
Prev by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Next by thread: Re: (IPng) Re: out-of-band key management is like virtual circuits
Index(es):
- Main
- Thread