[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: out-of-band key management is like virtual circuits

   Cc: ipsec@ans.net, solo@BBN.COM
   Date: Wed, 08 Mar 95 09:00:54 -0500

   I, too, believe that the solutions we offer should be capable of
   accomodating both in-band and out-of-band KM (or key distribution).
   As with other topics, it seems that there are three options (probably
   more, but so it goes) for doing this: negotiation that includes IPSP
   format; structured SAIDs that connote IPSP format and semantics; and
   multiple protocol IDs.  Essentially, the second option is a way to
   extend the protocol ID space without consuming additional IP next
   protocol numbers.  I believe Russ's suggestion below has merit; but if
   we can't reach agreement on adding such structure to the SAID field,
   then I would suggest we consider adopting two protocol IDs, one for
   the fixed format structure Bill and Perry have espoused and one with
   comparable syntax but with the SAID based extensible option Russ
   describes.  This argument seems to reduce to the efficiency of where
   "protocol" demultiplexing takes place.

There is a forth option --- which is to reserve a single SAID to mean
"we're initiating a new connection, and we're going to do the in-band
keying thing".  The first part of the packet payload would then contain
information describing the type of the in-band keying, and any in-band
keying specific data.

I believe this is far superior than cedeing a large chunk of the SAID
space --- it's more flexible.  In addition, the whole concept of a
"structured SAID" is a real perversion of the original meaning of a
Secure Association ID.  A structured SAID isn't really an ID.  It's
stealing 50% of the SAID space, and using a bit to indicate that the
rest of the SAID is an escape for a particular in-band keying system.
But it's extremely wasteful of the SAID space, and insufficiently
flexible.  After all, we only get to define the structure of the
"structure SAID" once; and if we get it wrong, then that's it; we're

This is why I still maintain that a "structured SAID" is really all
about stealing one half of the SAID space for SKIP.  There's no
guarantee that no matter what scheme you use, that it will be good
enough for the next in-band keying system.  

							- Ted