[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inline keying

To: ho@earth.hpc.org (Hilarie Orman)
Subject: Re: inline keying
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Thu, 20 Mar 1997 12:15:14 -0500
Cc: rja@inet.org, rgm3@chrysler.com, ipsec@tis.com
In-Reply-To: ho's message of Thu, 20 Mar 1997 09:45:10 -0500. <199703201445.JAA06780@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

I've received relatively little feedback on the inline keying
proposal; as i'm in the process of revising it (hopefully in time for
the deadline next Wednesday), I'd very much like to hear what you, or
anyone else, has to say.

> As I mentioned in San Jose, Bill Sommerfeld's version of inline keying
> is not at all what I mean.  What I mean is carrying an identifier in
> the ESP header that can be hashed with a pre-established secret to
> produce the unique key for the packet payload.  This can be done many
> times to achieve uni-directional rekeying before security would demand
> that the pre-established secret be changed.

What you're suggesting is rekeying every packet.  Putting my
efficiency hat on, this could get quite expensive (potentially
doubling the crypto overhead vs. fixed keys for short packets..).

My proposal was (essentially) rekeying every "connection" or "flow",
so that the second and subsequent packets in each direction can run at
the same speed as a vanilla fixed-key SA.

> I think the distinction is inline keys vs. inline key exchanges.

Fair enough..  Anyone else have any comments?

					- Bill

References:

Re: Closing out the COMPRESSION discussion

From: ho@earth.hpc.org (Hilarie Orman)

Prev by Date: Re: the COMPRESSION discussion
Next by Date: Re: the COMPRESSION discussion
Prev by thread: Re: Closing out the COMPRESSION discussion
Next by thread: Re: inline keying
Index(es):
- Main
- Thread