[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: forward secrecy

To: ipsec@ans.net
Subject: Re: forward secrecy
From: Germano Caronni <caronni@tik.ee.ethz.ch>
Date: Fri, 22 Dec 1995 23:18:09 -0800

At 08:57 PM 12/15/95 -0500, Perry E. Metzger wrote:
>
>I'd like to note, as I periodically do, that SKIP is in no way
>actually stateless. Thats just marketing hype by Ashar. In order to
>use a SKIP datagram in any real system you are going to have to get
>keys from a keyserver, thus almost completely obviating the claimed
>advantages of SKIP.

This is *not* true for any real system. Just for a (certainly very large)
part of systems. By the way, could you please explain to me, why using 
a key server introduces state?

>You can, of course, operate SKIP with statically configured keys --
>but in that case why not just run ESP and AH with statically
>configured keys and get rid of the overhead?

Even in this somewhat degenerated scenario SKIP still supports multiple
name spaces, and allows for traffic keys and a (currently *very* coarse)
playback protection. Native AH/ESP does not give you that.

Friendly greetings,

        Germano

Prev by Date: Re: ICMP Security Failures
Next by Date: Re: ESP over ESP was Re: ICMP Security Failures
Prev by thread: Re: forward secrecy
Next by thread: forward secrecy: satisfying all parties
Index(es):
- Main
- Thread