[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fast re-keying

To: Phil Karn <karn@qualcomm.com>
Subject: Re: fast re-keying
From: bound@zk3.dec.com
Date: Wed, 05 Apr 95 22:55:35 -0400
Cc: bound@zk3.dec.com, hugo@watson.ibm.com, IPSEC@ans.net
In-Reply-To: Your message of "Wed, 05 Apr 95 10:55:58 PDT." <199504051755.KAA06358@servo.qualcomm.com>

Phil,

>>"I have not turned on Security or I am not USING Security at this node".

>How about an ICMP Protocol Unreachable message? This has the definite
>advantage of already being implemented both for the encapsulation
>protocol and for the UDP port used for key management...

Yes this would be better.  A question.  

The way this could work in an IPv6 BSD implementation is that when parsing
the IPv6 header and I see an ESP or AUTH Next Payload type I will know
at that point I need to send an ICMP unreachable message.  If the UDP
data is encrypted or the plain text is authenticated I don't want have
to decipher it to get the UDP port.  I would rather not invoke any of the
security routines or pass to the transport layer as I can know at the
ip6_input routine I am not using security for this user, unless an
application has overridden that with the API or socket option for a
particular socket (which right now I guess is implementation defined
with no standard yet).

Can we have a well known port to send the ICMP Unreachable to regardless
of the key management used?  Or will they all use different ports do you
think?

Will this work for in-band keying too?  

thanks
/jim

Prev by Date: Re: fast re-keying
Next by Date: Re: IPv6 Security Last Call Initial Questions
Prev by thread: Re: fast re-keying
Next by thread: IPSEC (comments on Internet Drafts)
Index(es):
- Main
- Thread