[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: Proposed message on perfect forward security

> Dan,
> Technical Questions:
> 1.  To reveiw:  Will in-band keying work with the present IPv6 specs
>     (Rans work) without changes to the specifications?  Not just SKIP
>     (see next question).

(You addressed Dan, but since this was public, I'll offer
a response as well).

In-band might work. The reason I am hedging is that the
words about "not supporting" in-band not implying "precluding"
in-band in the IPv6 Arch spec strike me as ambiguous. People 
wishing to do this later, and relying solely on the specs
and not being privy to our e-mail discussions may in fact
conclude that in-band keying is precluded. (This was the 
conclusion that Dan and I arrived at after reading the document).

Certainly, there is little guidance in the specs to indicate how 
to perform in-band keying, should someone wish to do such a thing. 

By contrast, IEEE 802.10b explicitly defines the Management Defined Field 
(MDF) which follows the SAID and states that one possible use of this is 
to carry encrypted keys.

My preferred way to deal with this would be to remove the
ambiguous text, and specify somewhere how to achieve in-band
keying. There have been discussions about bits in the SAID
or one reserved SAID to indicate such a thing.

We are currently working under the assumption that a reserved
SAID may work better because people objected to burning up
half the SAID space. In fact, Dan had suggested this to
me prior to the suggestions on ipsec/ipng, and we were discussing
the right way to structure the information.

I am planning on writing up a transform for IPSP to indicate use of such 
a reserved SAID to indicate in-band keys and hope to write this up before 
the Danvers meeting.

> 2.  Are there multiple ways to use in-band keying besides SKIP?
>     I am asking this because I believe in-band keying should be
>     something vendors should be able to build as a key-management
>     solution.  I am assuming SKIP is only one way to use in-band keying
>     and others can exist too?

Yes, and in fact there is a DEC patent (US 5081678) on techniques 
that employ in-band keying that are totally unrelated to SKIP.

> 3.  Can't we discuss this without mention of SKIP so that we can
>     make sure either in-band or out-band can be used?  

We can and I think we should.

>    I think its
>     important we get to the heart of the architectural issues
>     technically of the in/out modes and not get hung up on actual
>     mechanisms?  

I, for one, concur.