Re: draft-ietf-ipsec-des-md5-00.txt

[pau@watson.ibm.com]

hughes@hughes.network.com wrote :


> .....

> I can add this to the esp, just like dumbing the keys up was. 
> 
> After thinking aobut it, I just need something, anything to break a tie for 
> picking a forward and a reverse direction. A flag as to if I am the initiator 
> or responder? IP address? Lower SPI? Anyway, if there is a way, I can dumb-up a 
> few more keys for directionality?
> 
> Comments?
> 


For now, I am using addresses. But addresses may not work if NAT
(network address translation) is used. SPI may be a candiate, but
the two sides may choose the same SPI value. Perhaps this problem
should be resolved at IKMP layer rather than at IPSEC layer ?
The only thing the IKMP layer needs to do is to give IPSEC layer
a 1-bit flag to indicate direction.

I know that <I-cookie, R-cookie> and <R-cookie, I-cookie> pairs
can be used to derive 2 uni-directional keys. But can IPSEC assumes
cookies will always be used ?


Regards, Pau-Chen

---

Follow-Ups:

• Re: draft-ietf-ipsec-des-md5-00.txt
• From: "Angelos D. Keromytis" <kermit@forthnet.gr>
• Re: draft-ietf-ipsec-des-md5-00.txt
• From: Ran Atkinson <rja@cisco.com>

---

• Prev by Date: cisco's ISAKMP
• Next by Date: Re: draft-ietf-ipsec-des-md5-00.txt
• Prev by thread: Re: draft-ietf-ipsec-des-md5-00.txt
• Next by thread: Re: draft-ietf-ipsec-des-md5-00.txt
• Index(es):
  • Main
  • Thread