[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 Security Last Call Questions

To: ipsec@ans.net
Subject: IPv6 Security Last Call Questions
From: Danny.Nessett@eng.sun.com (Dan Nessett)
Date: Mon, 27 Mar 1995 10:28:26 -0800
Cc: deering@parc.xerox.com, jis@mit.edu, rcallon@pobox.wellfleet.com, sob@newdev.harvard.edu

Ran,

As author of the IPv6 security architecture document, I wonder if you would
respond to the following two questions :

Question 1
----------

In section 4.6, the first paragraph, it states :

     This section defines key management requirements for all IPv6
   implementations and for those IPv4 implementations that implement the
   IP Authentication Header, the IP Encapsulating Security Payload, or
   both.

In section 4.6, the second paragraph, it states :

   All such
   implementations MUST support the configuration and use of user-oriented
   keying for traffic originating at that system.

In section 4.6, the third paragraph, it states :

     A device that encrypts or authenticates IP packets originated on
   other systems, for example a dedicated IP encryptor or an encrypting
   gateway, cannot generally provide user-oriented keying for traffic
   originating on other systems.  Hence, such systems MUST implement
   support for host-oriented keying for traffic originating on other
   systems.  Such systems MAY additionally implement support for
   user-oriented keying for traffic originating on other systems.

Since the first paragraph makes it clear that the subsequent text applies to
*all* IPv6 implementations and *all* IPv4 implementations that implement the
IP Authentication Header, the IP Encapsulating Security Payload, or both,
the text in paragraphs 2 and 3 seem inconsistent. In paragraph 2 you specify
that all implementations MUST support user-oriented keying and then in
paragraph 3 you state that certain implementations cannot generally do so for
traffic originating on other systems.

Could you clarify this point?

Question 2
----------

Several highly respected experts in the field of cryptography and computer
communications have offered an opinion that the cryptanalytic threats
used to motivate mandatory user-oriented keying are effectively countered
by more traditional techniques, e.g., proper management of the session key
cryptoperiod. In view of this, could you explain why user-oriented keying
remains a mandatory requirement?

Thanks.

Regards,

Dan

Prev by Date: Re: IPv6 Security Last Call Initial Questions
Next by Date: Working Group Last Call
Prev by thread: Re: key-ed MD5 again
Next by thread: IPv6 Security Last Call Questions
Index(es):
- Main
- Thread