[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Re: Calling the question: derived vs. explicit IV]

To: ipsec@tis.com
Subject: [Fwd: Re: Calling the question: derived vs. explicit IV]
From: "Scott G. Kelly" <scott@fet.com>
Date: Fri, 08 Aug 1997 11:08:34 -0700
Organization: Furukawa Electric Technologies, Inc.
Sender: owner-ipsec@ex.tis.com

Scott G. Kelly wrote:
> 
> Robert Moskowitz wrote:
> >
> > Let's see here.  At about 17,500' level, SAs drive the
> > encryption/authentication algorithms and are one of the by-products of a
> > KMP.  The KMP might be two people on keyboards and phones (ie manual).
> >
> > There have been 4 KMPs discussed in this workgroup:
> >
> > Manual
> > Photuris
> > SKIP
> > ISAKMP/Oakley
> >
> > A KMP that can be used for things other than just IPsec, SHOULD have a DOI.
> >  ISAKMP/Oakley does.  I suppose that someone could write a DOI for manual.
> >
> 
> Three comments:
> 
> (1) Part of the confusion here is due to unfortunate naming choices. The
> KMP in ISAKMP is not the same as the KMP you're using to refer to key
> exchange (management?) protocols. Furthermore, ISAKMP does not define a
> 'key management' protocol in the strict sense, or if it does, that
> certainly is not clear from the documents posted to date. It defines a
> 'security association management protocol', which has the added feature
> of providing a framework within which key exchange/management mechanisms
> may be selected and encapsulated.
> 
> It might be too much to hope that we can clean up some of this confusing
> terminology before going to RFC's, but I hold that hope nonetheless.
> 
> (2) Given that clarification, SA's are not the byproduct of KMP's;
> rather, they are the byproduct of a security policy. In fact, they are
> an instance of the application of a security policy to a particular
> datastream.
> 
> (3) Again, according to the drafts currently posted at ietf.org, the
> only documented DOI in existence is for IP security within the ISAKMP
> framework. Or am I missing something?
> 
> >
> > The ISAKMP/Oakley DOI for IPsec is irrelevant wrt to manual SA
> > configuration.  It least in my reading of it.
> 
> As indicated in (3) above, I can't find any reference in the documents
> to the ISAKMP/Oakley DOI. As far as I can ascertain, there is no such
> critter; the only defined DOI (so far) is for IP security within the
> ISAKMP framework. And again, I am not trying to be belligerent or smug;
> I only began studying the IPsec documents about a month ago, and I don't
> know anywhere near as much about this as many of you do. However, one of
> the real challenges in trying to get up to speed has been in wading
> through all the unfortunate language being used, language which just
> fosters confusion. These documents and protocols have far reaching
> implications and ramifications; the utmost care should be exercised in
> arriving at design decisions, including naming conventions.
> 
> Scott

Prev by Date: new/pending/delayed work items
Next by Date: [Fwd: Re: Calling the question: derived vs. explicit IV]
Prev by thread: Re: new/pending/delayed work items
Next by thread: [Fwd: Re: Calling the question: derived vs. explicit IV]
Index(es):
- Main
- Thread