[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of UDP ports for Photuris

To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Subject: Re: Use of UDP ports for Photuris
From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>
Date: Thu, 21 Sep 1995 12:25:09 -0400
Cc: ipsec@ans.net
In-Reply-To: Bill Sommerfeld <sommerfeld@apollo.hp.com> "Re: Use of UDP ports for Photuris" (Sep 21, 12:12)
References: <199509211612.AA124669958@relay.hp.com>
Reply-To: rja@cs.nrl.navy.mil
Sender: rja@bodhi.cs.nrl.navy.mil


Bill,

  I see that as a Photuris protocol (clarification/bug) issue rather
than a UDP port issue.  Although I'm not yet building photurisd(8),
we do have the other pieces already and we've thought A Whole Lot
about building photurisd(8).

  Our system can store multiple certificates just fine.  We can also
let a key mgmt daemon sitting on PF_KEY pull certificates that it
needs.  So the critical issue in my mind is not UDP (which is not
the problem or solution on this issue) but rather ensuring that
it is clear HOW photuris the protocol lets either side indicate
which certificate to use.  As long as photurisd knows what certificate
it wants, we're sure that photurisd can get it if it exists in
the system.

  By the way, Mike StJohns has had an excellent idea on helping to
bootstrap certificates without using Secure DNS (as an option,
not a replacement for Secure DNS) by creating two new ICMP
messages:
	1)  ICMP Certificate Request (data portion indicates what type
		certificate is desired AND provides sender's certificate)
	2)  ICMP Certificate Response (data portion provides sender's
		certificate).

Since certificates would be sent, lack of authentication of these 2
ICMP message types at the IP layer would not be an issue.

Ran
rja@cs.nrl.navy.mil

Prev by Date: Re: Use of UDP ports for Photuris
Next by Date: RFI-IPSP Commercial vendors
Prev by thread: Re: Use of UDP ports for Photuris
Next by thread: RFI-IPSP Commercial vendors
Index(es):
- Main
- Thread