[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of UDP ports for Photuris



	 I'd like to see key management done as a protocol over IP.  This is
	 because it facilitates building high-assurance systems.  For example,
	 if the host policy requires all user-level network communication to be
	 AH or ESP protected, then I can easily build a protocol graph that
	 ensures this if key management is in the kernel.  If it isn't, then
	 there must be a filter that allows some key management messages to be
	 delivered to the user level while blocking other traffic.  This is a
	 displeasing architecture.

	 And, I'm not comfortable about having keys managed by a user-level
	 process, anyway.  I'd like to have the code that manages the keys
	 be able to manage real memory.

	 UDP doesn't have anything to offer IP key management.  Its port numbers
	 and checksum are just red herring.

I tend to agree with Ran that key management is most easily implemented
in user space; however, this can be done just as well with a raw socket
as with a UDP port.  The real issues lie elsewhere.

Hilarie is right about the policy issues being complicated by use of
UDP.  If (a) we want to protect all normal traffic to/from a certain
host, and (b) key management is done by UDP, we somehow have to make
an exception for the key management ports, including (possibly) the
arbitrary UDP port number used by a client.  This is messy, especially
for bump-in-the-cord encryptors.  Folks interested in this aspect may
want to look at a draft paper by David Wagner and myself, on a ``bump-
in-the-stack'' encryptor for MS/DOS'', available as

	ftp://ftp.research.att.com/dist/smb/bis.ps

For a UNIX-style implementation, where possibly root could issue the
setsockopt() to turn off security for the key management sockets, this
wouldn't be as much of an issue, but of course the whole world isn't a
UNIX box.

Similar issues apply to IPSEC hosts behind firewalls -- it's a *lot*
easier to get the key management packets in and out if they don't use
UDP.