[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Slicing and Dicing in new-esp

To: ho@earth.hpc.org (Hilarie Orman)
Subject: Re: Slicing and Dicing in new-esp
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Fri, 11 Apr 1997 15:39:54 -0400
Cc: ipsec@tis.com
In-Reply-To: ho's message of Fri, 11 Apr 1997 10:41:31 -0400. <199704111441.KAA08079@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

I'm trying to make sure that the boundary between key management and
ESP/AH is well specified.  Assuming I understand it correctly, the
current new-esp draft mentions receiving two keys from key management
(one auth key, one encryption key), while the current ipsec DOI draft
specifies providing one key blob to ESP.  This sounds like a mismatch
to me..

> The discussion seems to cover only slicing the key blob, not
> inflating.  If the key blob is shorter than the total key length
> needed by the transform algorithms, then it must be inflated, and the
> inflation should be done on the total key blob, not slices of it.

Right, but this expansion should happen in key management, not the
transforms/algorithms; ESP should not need to know which prf was used
for key negotiation.

During the implementors meeting, there seemed to be no objection to
the concept that the transform should ask for a specific amount of
keying material, and that key management is responsible for delivering
at least that much.

					- Bill

References:

Re: Slicing and Dicing in new-esp

From: ho@earth.hpc.org (Hilarie Orman)

Prev by Date: Re: IPSec MIB
Next by Date: Re: Slicing and Dicing in new-esp
Prev by thread: Re: Slicing and Dicing in new-esp
Next by thread: Re: Slicing and Dicing in new-esp
Index(es):
- Main
- Thread