[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Calling the question: derived vs. explicit IV

To: "Scott G. Kelly" <scott@fet.com>
Subject: Re: Calling the question: derived vs. explicit IV
From: Ran Atkinson <rja@inet.org>
Date: Fri, 8 Aug 97 00:17:19 GMT Daylight Time
Cc: ipsec@tis.com
References: <33EA5447.385F@fet.com>
Sender: owner-ipsec@ex.tis.com

--- On Thu, 07 Aug 1997 16:03:35 -0700  "Scott G. Kelly" <scott@fet.com> wrote:

> This is an aside to your discussion: why doesn't DOI refer to manual SA
> configuration and keying? 

While the data elements within the IPsec DOI might well exist in manually
configured IPsec SAs, the IPsec DOI is a component of the ISAKMP protocol.

> Am I missing something? 
> I though DOI was a IPsec term...

"DOI" is an ISAKMP term.   Aside from that, the term "IPsec" is fairly
nebulous at present.  It sometimes means "ESP and AH" and other times means
"ESP and AH as used with certain algorithms" and yet other times means
"ESP and AH as used with certain algorithms, plus ISAKMP/Oakley key
management".  I try to avoid using the term "IPsec" nowadays because
it is imprecise and hence confusing. 

ISAKMP is applicable to networking protocols other than IPsec.  If one
considers a router, one could easily imagine the following additional DOIs:

	RIPv2 DOI for ISAKMP	(to dynamically manage RIPv2 cryptographic
				 authentication, currently configured manually).

	OSPFv2 DOI for ISAKMP	(to dynamically manage OSPFv2 cryptographic
				 authentication, currently configured manually).

As it happens, work on both of the above documents is well underway,
but missed the I-D cutoff before Munich.  I imagine they will appear online
not long after Munich.

The IESG would need to decide which WG those routing DOI drafts would belong in
if standardised, but I would imagine they would be put into the RIPv2 WG and 
OSPFv2 WG, respectively.  The development of cryptographic authentication
for routing protocols has historically been done in the applicable routing
protocol WG, hence my speculation.

There has also been at least hallway conversation at past IETF meetings
about creating an "SSH DOI for ISAKMP" for use with the increasingly
popular "Secure SHell" application.  There has also been discussion about
adding an "RSVP DOI for ISAKMP" to configure SAs for the RSVP integrity
object.  I don't know where those items stand.  Asking the respective
WG chairs (for SECSH and RSVP) might be a starting point for any curious people. 

Ran
rja@inet.org

Follow-Ups:

Re: Calling the question: derived vs. explicit IV

From: "Scott G. Kelly" <scott@fet.com>

Re: Calling the question: derived vs. explicit IV

From: "Scott G. Kelly" <scott@fet.com>

References:

Re: Calling the question: derived vs. explicit IV

From: "Scott G. Kelly" <scott@fet.com>

Prev by Date: Re: Calling the question: derived vs. explicit IV
Next by Date: No Subject
Prev by thread: Re: Calling the question: derived vs. explicit IV
Next by thread: Re: Calling the question: derived vs. explicit IV
Index(es):
- Main
- Thread