[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
manual keying and IPSEC conformance
Folks,
It was suggested to me at the Munich meeting that it might be useful to
bring this issue up on the list. So, here goes... <deep breath here>
The current AH and ESP drafts state that manual keying is a MUST implement.
This evolved from the earliest versions of these documents, which pre-dated
any agreed upon dynamic key management protocol (i.e. ISAKMP/Oakley).
(This was a long time ago, much too long, as we are all painfully aware...)
This requirement implies that an IPSEC host implementation which supports
only ISAKMP/Oakley using the current AH and ESP drafts (anti-replay or
not... :-), but without manual keying, would not be considered a conformant
IPSEC implementation.
Is this what we really want -- manual keying with an optional-to-implement
key management protocol? I'll also point out that our directive from Jeff
from last fall states that ISAKMP/Oakley is mandatory-to-implement for IPv6
IPSEC [1]. Should it not be the same for IPv4?
My customers tell me that they don't want to have anything to do with
manual keying. That's why we're investing in ISAKMP/Oakley. Is it really
the desire of this working group to force me to include something that is
insecure and that my customers don't want to buy?
One obvious suggestion is to state that one must implement either
ISAKMP/Oakley or manual keying. Another is to just require ISAKMP/Oakley,
as in IPv6. The former isn't the greatest from an interoperability
standpoint, but I believe that environments with a mix of manual keying and
dynamic keying are rather unlikely to exist in the first place.
Practically speaking, dynamic key management is going to be a prerequisite
for any large-scale deployment of IPSEC.
What's the sense of the rest of the group?
Derrell
[1] http://www.sandelman.ottawa.on.ca/ipsec/1996/09/msg00096.html
Follow-Ups: