[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of IPSEC Key Management

To: Steven Bellovin <smb@research.att.com>
Subject: Re: Status of IPSEC Key Management
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Mon, 09 Sep 1996 17:50:58 -0400
Cc: perry@piermont.com, Stephen Kent <kent@bbn.com>, ipsec@TIS.COM
In-Reply-To: smb's message of Mon, 09 Sep 1996 15:46:47 -0400. <9609091546.aa15541@neptune.TIS.COM>
Sender: ipsec-approval@neptune.tis.com

SKIP-style in-band keying is good because it doesn't add more
round-trips.  It's bad because it involves extra overhead on each
packet.. SKIP's 20-28 bytes/packet (assuming 8-16 byte traffic keys)
adds ~50% to the size of a TCP ACK. 

Has anyone (other than me) considered a scheme whereby in-band
messages are used to set up a SA, and thereafter omitted from the
packets?

One way to do this would be to include fields saying "respond to this
on SPI <NNN> until <expiration>" in the in-band-keying header; once an
explicit SPI had been set up between peers, the in-band header would
not be used.

This would add ~8 bytes to the in-band keying header (assuming a
4-byte reply SPI, and a 4-byte lifetime).

For a typical TCP exchange, the in-band keying headers would piggyback
on the SYN and SYN/ACK packets, and then be absent from subsequent
traffic.

					- Bill

Follow-Ups:

Re: Status of IPSEC Key Management

From: "C. Harald Koch" <chk@border.com>

Re: Status of IPSEC Key Management

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Status of IPSEC Key Management
Next by Date: Re: Status of IPSEC Key Management
Prev by thread: Status of IPSEC Key Management
Next by thread: Re: Status of IPSEC Key Management
Index(es):
- Main
- Thread