[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions (per user keying)


Your suggestion :
>  Presumably the SPI will include the necessary keying material for the
>  security context.

if I understand it correctly, confuses the SPI, which is the 32 bit identifier
carried in IP packets, with the security context information it identifies.
The SPI is just a number that anyone can guess or snoop from the network.

I understand your observation that

>  I believe what's driving this as a requirement is that some applications
>  may want to exchange keying information on a user-specific level, using
>  some GSSAPI mechanism (including perhaps Kerberos), and that there be a
>  way to set the keys derived from authentication done at a user-specific
>  granularity to be used by the IPsec encryption encapsulation.

and I am not opposed to trying this idea out. My only dispute is making the
support for it mandatory. Claims by Perry Metzger to the contrary, I don't
think we know enough about this approach to force implementers to support it.
My specific concern is that they will spend a great deal of time and effort
attempting to engineer a solution, time that is probably better spent getting
the core security services implemented. Remember, for IPv6 at least, there
is alot of other work to be done in addition to that directed at security.