[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fwd: Re: Calling the question: derived vs. explicit IV]
- To: ipsec@tis.com
- Subject: [Fwd: Re: Calling the question: derived vs. explicit IV]
- From: "Scott G. Kelly" <scott@fet.com>
- Date: Fri, 08 Aug 1997 11:08:34 -0700
- Organization: Furukawa Electric Technologies, Inc.
- Sender: owner-ipsec@ex.tis.com
Scott G. Kelly wrote:
>
> Robert Moskowitz wrote:
> >
> > Let's see here. At about 17,500' level, SAs drive the
> > encryption/authentication algorithms and are one of the by-products of a
> > KMP. The KMP might be two people on keyboards and phones (ie manual).
> >
> > There have been 4 KMPs discussed in this workgroup:
> >
> > Manual
> > Photuris
> > SKIP
> > ISAKMP/Oakley
> >
> > A KMP that can be used for things other than just IPsec, SHOULD have a DOI.
> > ISAKMP/Oakley does. I suppose that someone could write a DOI for manual.
> >
>
> Three comments:
>
> (1) Part of the confusion here is due to unfortunate naming choices. The
> KMP in ISAKMP is not the same as the KMP you're using to refer to key
> exchange (management?) protocols. Furthermore, ISAKMP does not define a
> 'key management' protocol in the strict sense, or if it does, that
> certainly is not clear from the documents posted to date. It defines a
> 'security association management protocol', which has the added feature
> of providing a framework within which key exchange/management mechanisms
> may be selected and encapsulated.
>
> It might be too much to hope that we can clean up some of this confusing
> terminology before going to RFC's, but I hold that hope nonetheless.
>
> (2) Given that clarification, SA's are not the byproduct of KMP's;
> rather, they are the byproduct of a security policy. In fact, they are
> an instance of the application of a security policy to a particular
> datastream.
>
> (3) Again, according to the drafts currently posted at ietf.org, the
> only documented DOI in existence is for IP security within the ISAKMP
> framework. Or am I missing something?
>
> >
> > The ISAKMP/Oakley DOI for IPsec is irrelevant wrt to manual SA
> > configuration. It least in my reading of it.
>
> As indicated in (3) above, I can't find any reference in the documents
> to the ISAKMP/Oakley DOI. As far as I can ascertain, there is no such
> critter; the only defined DOI (so far) is for IP security within the
> ISAKMP framework. And again, I am not trying to be belligerent or smug;
> I only began studying the IPsec documents about a month ago, and I don't
> know anywhere near as much about this as many of you do. However, one of
> the real challenges in trying to get up to speed has been in wading
> through all the unfortunate language being used, language which just
> fosters confusion. These documents and protocols have far reaching
> implications and ramifications; the utmost care should be exercised in
> arriving at design decisions, including naming conventions.
>
> Scott