[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 Security Last Call Questions
As author of the IPv6 security architecture document, I wonder if you would
respond to the following two questions :
In section 4.6, the first paragraph, it states :
This section defines key management requirements for all IPv6
implementations and for those IPv4 implementations that implement the
IP Authentication Header, the IP Encapsulating Security Payload, or
In section 4.6, the second paragraph, it states :
implementations MUST support the configuration and use of user-oriented
keying for traffic originating at that system.
In section 4.6, the third paragraph, it states :
A device that encrypts or authenticates IP packets originated on
other systems, for example a dedicated IP encryptor or an encrypting
gateway, cannot generally provide user-oriented keying for traffic
originating on other systems. Hence, such systems MUST implement
support for host-oriented keying for traffic originating on other
systems. Such systems MAY additionally implement support for
user-oriented keying for traffic originating on other systems.
Since the first paragraph makes it clear that the subsequent text applies to
*all* IPv6 implementations and *all* IPv4 implementations that implement the
IP Authentication Header, the IP Encapsulating Security Payload, or both,
the text in paragraphs 2 and 3 seem inconsistent. In paragraph 2 you specify
that all implementations MUST support user-oriented keying and then in
paragraph 3 you state that certain implementations cannot generally do so for
traffic originating on other systems.
Could you clarify this point?
Several highly respected experts in the field of cryptography and computer
communications have offered an opinion that the cryptanalytic threats
used to motivate mandatory user-oriented keying are effectively countered
by more traditional techniques, e.g., proper management of the session key
cryptoperiod. In view of this, could you explain why user-oriented keying
remains a mandatory requirement?