[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed message on perfect forward security


>My own belief is that a single, general purpose key management
>protocol designed for the most demanding case will be much more widely
>adopted by the market than a collection of incompatible protocols with
>different levels of security that are each supposedly epsilon more
>efficient in some particular circumstance. Again, consider TCP vs

I think your right regarding the odds for market acceptance.  My belief
is that we still have a lot of work to do regarding key management in
general.  I think this will require discussion about our technical
beliefs/assumptions where technology must or will be in the future, and
what the market can absorb regarding function and cost.  Often we say
this is not a technical discussion but in fact it truly is and is often
at the crux of disagreement.  It also is a MUST before an engineer can
fully buy-in to any specification.  We have to discuss more than just
the bits and bytes, to understand the affect of a technology on the
total network system.  

Working on Ran's drafts for some time (SIP, SIPP, and now IPv6) I have 
reviewed it technically as to the affect to a host kernel as a network layer 
header and how the design will affect that part of the code base for 
IPv6 in a network operating system.  Now that it may move to proposed 
standard we must look at it from the perspective of key management too.  
Until recently there was not a discussion on this topic in SIP, SIPP, or 
IPv6.  I think IPSEC should do that work and I think its started.

I do not think TCP vs TP[0-4] is a fair analysis to in-band vs
out-band.  TCP and TPxxx are two different protocol suites, two
different AFs to a socket, and I believe two different philosophies
towards the functions of a transport layer protocol.  In-band is an
option customers may want to use who do not need perfect forwarding
security.  Everything else about the ip6_input layer is the same, all
that changes is the module that processes the IPv6 Security Header (at
least in our implementation design).  What is not clear to me is what will
the out-band key management winner be?  To do testing I am assuming we
will have to agree to use some out-band method to test Ran's specs in 
the kernel and at the application layer too.  It would be nice if we
could get some folks like yourself to agree soon what is a good way for
IPv6 implementors to test our implementations.  What about kerberos? I
think all can get code to do this?  [just for interoperability