[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) out-of-band key management is like virtual cir
>As soon as you have structured SAIDs, you have to start throwing lots
>of complexity into your kernel -- the kernel must not just have hooks
>for key negotiation but has to keep tables of key negotiation types
>and be an active participant in the key negotiation process. We are
>going to have to start having IANA handing out SAID ranges and the
>like. Furthermore, we've just conflated the layers -- something
>people keep accusing me of doing. I haven't even plotted out all the
>complexities yet. It certainly causes me to have to toss out user
>level key management stuff, which I don't like.
Multicast Security Associations (SAs) cannot be managed in the same way as
peer-to-peer SAs. Given this, the SAID should have some structure to
easily separate the multicast SAs from the peer-to-peer ones. Once you
accept some structure it is not a big deal to accept another "silly bit."
Then, an implementation does not need to know every in-band identifier that
is assigned. It only needs to know about the ones that it supports.