[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) out-of-band key management is like virtual cir


>As soon as you have structured SAIDs, you have to start throwing lots 
>of complexity into your kernel -- the kernel must not just have hooks 
>for key negotiation but has to keep tables of key negotiation types 
>and be an active participant in the key negotiation process. We are 
>going to have to start having IANA handing out SAID ranges and the 
>like. Furthermore, we've just conflated the layers -- something 
>people keep accusing me of doing.  I haven't even plotted out all the 
>complexities yet. It certainly causes me to have to toss out user 
>level key management stuff, which I don't like.

Multicast Security Associations (SAs) cannot be managed in the same way as 
peer-to-peer SAs.  Given this, the SAID should have some structure to 
easily separate the multicast SAs from the peer-to-peer ones.  Once you 
accept some structure it is not a big deal to accept another "silly bit."  
Then, an implementation does not need to know every in-band identifier that 
is assigned.  It only needs to know about the ones that it supports.