[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: Proposed message on perfect forward security


In an earlier message I point out :

>  > No. In-band keying will not work with the present IPv6 specs. This issue
>  > is independent of SKIP. The problem is there is no place to indicate in
>  > either the AH or ESP that in-band keying is being used.

To which you reply :

>  Thats not true.
>  The reserved SAIDs were envisioned for doing things like this. It
>  wasn't thought that we'd actually *want* to use them, but we did leave
>  in the flexibility just in case.
>  So far as I can tell, using one of the reserved SAIDs, as has been
>  repeatedly proposed, would work just fine for you. This is not to say
>  that the mechanism is being encouraged, but it is possible. Given the
>  inability to reuse most of the rest of the protocol machinery,
>  however, I really don't see, overall, why you would even want to try
>  to get the round SKIP peg to fit into a square IPSP hole -- you need
>  all your own transforms, you don't use the SAIDs per se, etc, etc --
>  for the most part, you aren't using the IPSP mechanisms at all.

Allow me to quote from the current AH I-D :

        A 32-bit pseudo-random value identifying the security association
      for this datagram.  If no security association has been established,
      the value of this field shall be 0x00000000.  The set of SAID values
      in the range 0x00000001 through 0x000000FF are reserved for future

There is similar language in the ESP I-D. I read this to mean that the
reserved values are "reserved," i.e., not to be used, since they may
be used for some unspecified purpose in the future. If the security documents
are modified to indicate an SAID value that is to mean, "using in-band
keying," then what you say would be true. However, at present it is not.