[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple Transforms per SPI, user to user keying in Photuris

To: ipsec@ans.net, spatsch@cs.arizona.edu
Subject: Multiple Transforms per SPI, user to user keying in Photuris
From: Oliver Spatscheck <spatsch@cs.arizona.edu>
Date: Thu, 7 Dec 1995 07:49:14 -0700


After the ipsec meeting yesterday I had a discussion with
Bill Simpson and Angelos D. Keromytis about the Photuris
draft. I raised the following two topics which I thought
might be of interest to the ipsec community.

1. Multiple Attribute Choices in the Identity message.

We agreed that it would be a good idea to limit the
number of attributes in the identity message
to one AH attribute and one ESP attribute for one SPI. 
The reasons are a clearer design and the fact that the 
session key used by multiple attribute choices would be the
same. If somebody wants to use more then one ESP transform s/he
should negotiate multiple SPIs and apply a set of SPIs to
each package.

2. Identification for user to user keying

There should be a way to determine both user on the responder
side during the key exchange. Only then it is possible
to establish user to user keying with one key exchange.

This can easily be accomplished by defining an new Identity-Choice
which contains the identity of both user in the Identification
field.

Another approach would be to add a second identification field
to the identification message.

Oliver

Prev by Date: Re: A question on SPI name space.
Next by Date: No Subject
Prev by thread: Re: WG Last Call for SKIP I-D
Next by thread: No Subject
Index(es):
- Main
- Thread