[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Operational Considerations

To: ipsec@tis.com
Subject: Operational Considerations
From: "William Allen Simpson" <wsimpson@greendragon.com>
Date: Fri, 11 Jul 97 10:53:57 GMT
Sender: owner-ipsec@ex.tis.com

I don't know why I awoke so early thinking about IP Security, but before
I go back to bed, a couple of semi-private notes I read yesterday from
the ANX design team members remind me that my recent drafts contain
important sections which should be in the main ESP draft, rather than
duplicated in each transform.

We've discussed these on this list before, but they have not yet shown
up in the revised ESP.  Make it so:

Operational Considerations

   This specification provides only a few manually configurable parame-
   ters:

   SPI
      Manually configured SPIs are limited in range to aid operations.
      Automated SPIs are pseudo-randomly distributed throughout the
      remaining 2**32 values.

      Default: 0 (none).  Range: 256 to 65,535.

   SPI LifeTime (SPILT)
      Manually configured LifeTimes are generally measured in days.
      Automated LifeTimes are specified in seconds.

      Default: 32 days (2,764,800 seconds).  Maximum: 182 days
      (15,724,800 seconds).

   Replay Window
      Long term replay prevention requires automated configuration.
      Also, some earlier implementations used pseudo-random values.
      This check must only be used with those peers that have imple-
      mented this feature.

      Default: 0 (checking off).  Range: 32 to 256.

   Pad Values
      New implementations use verifiable values.  However, some earlier
      implementations used pseudo-random values.  This check must only
      be used with those peers that have implemented this feature.

      Also, some operations desire additional padding to inhibit traffic
      analysis.

      Default: 0 (checking off).  Range: 7 to 255.

   Encryption
      Each interface document will describe the keying material needed.

      Default: DES-CBC.

   Compression
      Default: none.

   Authentication
      Each interface document will describe the keying material needed.

      Default: none.

   Each party configures a list of known SPIs and symmetric secret-keys.

   In addition, each party configures local policy that determines what
   access (if any) is granted to the holder of a particular SPI.  For
   example, a party might allow FTP, but prohibit Telnet.  Such consid-
   erations are outside the scope of this document.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: Fast x86 DES for SSH
Next by Date: Sequence Number
Prev by thread: ELVIS?
Next by thread: Sequence Number
Index(es):
- Main
- Thread