[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) Re: out-of-band key management is like virtual circuits
Cc: ipsec@ans.net, solo@BBN.COM
Date: Wed, 08 Mar 95 09:00:54 -0500
I, too, believe that the solutions we offer should be capable of
accomodating both in-band and out-of-band KM (or key distribution).
As with other topics, it seems that there are three options (probably
more, but so it goes) for doing this: negotiation that includes IPSP
format; structured SAIDs that connote IPSP format and semantics; and
multiple protocol IDs. Essentially, the second option is a way to
extend the protocol ID space without consuming additional IP next
protocol numbers. I believe Russ's suggestion below has merit; but if
we can't reach agreement on adding such structure to the SAID field,
then I would suggest we consider adopting two protocol IDs, one for
the fixed format structure Bill and Perry have espoused and one with
comparable syntax but with the SAID based extensible option Russ
describes. This argument seems to reduce to the efficiency of where
"protocol" demultiplexing takes place.
There is a forth option --- which is to reserve a single SAID to mean
"we're initiating a new connection, and we're going to do the in-band
keying thing". The first part of the packet payload would then contain
information describing the type of the in-band keying, and any in-band
keying specific data.
I believe this is far superior than cedeing a large chunk of the SAID
space --- it's more flexible. In addition, the whole concept of a
"structured SAID" is a real perversion of the original meaning of a
Secure Association ID. A structured SAID isn't really an ID. It's
stealing 50% of the SAID space, and using a bit to indicate that the
rest of the SAID is an escape for a particular in-band keying system.
But it's extremely wasteful of the SAID space, and insufficiently
flexible. After all, we only get to define the structure of the
"structure SAID" once; and if we get it wrong, then that's it; we're
stuck.
This is why I still maintain that a "structured SAID" is really all
about stealing one half of the SAID space for SKIP. There's no
guarantee that no matter what scheme you use, that it will be good
enough for the next in-band keying system.
- Ted
References: