[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: Proposed message on perfect forward security


In regards to your questions :

>  Technical Questions:
>  1.  To reveiw:  Will in-band keying work with the present IPv6 specs
>      (Rans work) without changes to the specifications?  Not just SKIP
>      (see next question).

No. In-band keying will not work with the present IPv6 specs. This issue
is independent of SKIP. The problem is there is no place to indicate in
either the AH or ESP that in-band keying is being used.

>  2.  Are there multiple ways to use in-band keying besides SKIP?
>      I am asking this because I believe in-band keying should be
>      something vendors should be able to build as a key-management
>      solution.  I am assuming SKIP is only one way to use in-band keying
>      and others can exist too?

SKIP is only one way to do in-band keying. Other possibilities exist. For
example, Russ Housley has reported on these lists that the IEEE 802.10 standard 
for Secure Data Exchange (SDE) supports an in-band keying approach developed
by DEC. I believe this approach could also be used for in-band keying for
IPv6, but would defer on that to the original designers of the protocol or to
someone on the IEEE 802.10 committee. As far as I know, SKIP is the only
widely publicized in-band keying method proposed for IPv6, but I haven't
had a chance to read the recent proposal by Hugo at IBM, so I could be
wrong about that.

>  3.  Can't we discuss this without mention of SKIP so that we can
>      make sure either in-band or out-band can be used?  I think its
>      important we get to the heart of the architectural issues
>      technically of the in/out modes and not get hung up on actual
>      mechanisms?  Or is this not a good idea?

I agree 100% that we should focus on the issue of in-band and out-of-band
keying and not concentrate on SKIP. It is others on this list that continually
make accusations about this being a purely SKIP issue. From my perspective
the issue is more general. The IPv6 security documents should be written in
such a way as not to preclude or even discourage the use of in-band keying.
They should be general enough to allow both.