Re: (IPng) Re: out-of-band key management is like virtual circuits

[Danny.Nessett@eng.sun.com (Dan Nessett)]

Ted,

I agree with you that :
  
>  There is a forth option --- which is to reserve a single SAID to mean
>  "we're initiating a new connection, and we're going to do the in-band
>  keying thing".  The first part of the packet payload would then contain
>  information describing the type of the in-band keying, and any in-band
>  keying specific data.
>  
>  I believe this is far superior than cedeing a large chunk of the SAID
>  space --- it's more flexible.  In addition, the whole concept of a
>  "structured SAID" is a real perversion of the original meaning of a
>  Secure Association ID.  A structured SAID isn't really an ID.  It's
>  stealing 50% of the SAID space, and using a bit to indicate that the
>  rest of the SAID is an escape for a particular in-band keying system.
>  But it's extremely wasteful of the SAID space, and insufficiently
>  flexible.  After all, we only get to define the structure of the
>  "structure SAID" once; and if we get it wrong, then that's it; we're
>  stuck.

In fact Ashar Aziz and I have been working on a proposal along these lines
for IPv6, which I am planning on sending out this afternoon.

However, when you say

>  This is why I still maintain that a "structured SAID" is really all
>  about stealing one half of the SAID space for SKIP.

I must disagree. SKIP is just one possible in-band keying method. At least
one other exists, that designed by DEC. So I would say that using a bit
in the SAID for in-band keying is not the most judicious use of the SAID
identifier space.

Dan

---

Follow-Ups:

• Re: (IPng) Re: out-of-band key management
• From: Ran Atkinson <rja@bodhi.itd.nrl.navy.mil>

---

• Prev by Date: Re: user-to-user vs. host-to-host keying
• Next by Date: Re: user-to-user vs. host-to-host keying
• Next by thread: Re: (IPng) Proposed Standard or no?
• Index(es):
  • Main
  • Thread