[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) Re: out-of-band key management is like virtual circuits
Ted,
I agree with you that :
> There is a forth option --- which is to reserve a single SAID to mean
> "we're initiating a new connection, and we're going to do the in-band
> keying thing". The first part of the packet payload would then contain
> information describing the type of the in-band keying, and any in-band
> keying specific data.
>
> I believe this is far superior than cedeing a large chunk of the SAID
> space --- it's more flexible. In addition, the whole concept of a
> "structured SAID" is a real perversion of the original meaning of a
> Secure Association ID. A structured SAID isn't really an ID. It's
> stealing 50% of the SAID space, and using a bit to indicate that the
> rest of the SAID is an escape for a particular in-band keying system.
> But it's extremely wasteful of the SAID space, and insufficiently
> flexible. After all, we only get to define the structure of the
> "structure SAID" once; and if we get it wrong, then that's it; we're
> stuck.
In fact Ashar Aziz and I have been working on a proposal along these lines
for IPv6, which I am planning on sending out this afternoon.
However, when you say
> This is why I still maintain that a "structured SAID" is really all
> about stealing one half of the SAID space for SKIP.
I must disagree. SKIP is just one possible in-band keying method. At least
one other exists, that designed by DEC. So I would say that using a bit
in the SAID for in-band keying is not the most judicious use of the SAID
identifier space.
Dan
Follow-Ups: