[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: Proposed message on perfect forward security

To: ipng@sunroof.eng.sun.com
Subject: Re: (IPng) Re: Proposed message on perfect forward security
From: hinden@ipsilon.com (Bob Hinden)
Date: Wed, 15 Mar 1995 09:32:52 -0800
Cc: ipsec@ans.net

Dan,

I have been reading this exchange for a while now and think it has gone
beyond the point of being constructive a long while ago.  The current
exchange seems to me be centered around the definition of the word
"reserved".  Some seem to think it excludes the possibility of "in-band
keying", other think it allows it.  This is no longer a technical
discussion.

Perhaps this debate could be ended if the text was changed to say something
like:

        The set of SAID values in the range 0x00000001 through 0x000000FF
        are reserved for future use (for example "in-band keying").

Then perhaps everyone can go back to developing and deploying some real key
management algorithms and software which we all really need if the internet
is to have real security.

Bob


At 12:32 PM 3/14/95, Dan Nessett wrote:
>Perry,
>
>In an earlier message I point out :
>
>>  > No. In-band keying will not work with the present IPv6 specs. This issue
>>  > is independent of SKIP. The problem is there is no place to indicate in
>>  > either the AH or ESP that in-band keying is being used.
>
>To which you reply :
>
>>  Thats not true.
>>
>>  The reserved SAIDs were envisioned for doing things like this. It
>>  wasn't thought that we'd actually *want* to use them, but we did leave
>>  in the flexibility just in case.
>>
>>  So far as I can tell, using one of the reserved SAIDs, as has been
>>  repeatedly proposed, would work just fine for you. This is not to say
>>  that the mechanism is being encouraged, but it is possible. Given the
>>  inability to reuse most of the rest of the protocol machinery,
>>  however, I really don't see, overall, why you would even want to try
>>  to get the round SKIP peg to fit into a square IPSP hole -- you need
>>  all your own transforms, you don't use the SAIDs per se, etc, etc --
>>  for the most part, you aren't using the IPSP mechanisms at all.
>
>Allow me to quote from the current AH I-D :
>
>        A 32-bit pseudo-random value identifying the security association
>      for this datagram.  If no security association has been established,
>      the value of this field shall be 0x00000000.  The set of SAID values
>      in the range 0x00000001 through 0x000000FF are reserved for future
>      use.
>
>There is similar language in the ESP I-D. I read this to mean that the
>reserved values are "reserved," i.e., not to be used, since they may
>be used for some unspecified purpose in the future. If the security documents
>are modified to indicate an SAID value that is to mean, "using in-band
>keying," then what you say would be true. However, at present it is not.
>
>Dan
>------------------------------------------------------------------------------
>IETF IPng Mailing List                FTP archive: ftp.parc.xerox.com:/pub/ipng
>Unsubscribe:    unsubscribe ipng                 (as message body, not subject)
>Direct all administrative requests to majordomo@sunroof.eng.sun.com

Prev by Date: Re: (IPng) Re: Proposed message on perfect forward security
Next by Date: Re: (IPng) Re: Proposed message on perfect forward security
Prev by thread: Re: (IPng) Re: Proposed message on perfect forward security
Next by thread: Re: (IPng) Re: Proposed message on perfect forward security
Index(es):
- Main
- Thread