[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: manual keying and IPSEC conformance



> The current AH and ESP drafts state that manual keying is a MUST implement.
> This evolved from the earliest versions of these documents, which pre-dated
> any agreed upon dynamic key management protocol (i.e. ISAKMP/Oakley).
> (This was a long time ago, much too long, as we are all painfully aware...)

Yep.  It was a good idea then, and it's a good idea now.

> This requirement implies that an IPSEC host implementation which supports
> only ISAKMP/Oakley using the current AH and ESP drafts (anti-replay or
> not... :-), but without manual keying, would not be considered a conformant
> IPSEC implementation.

That _is_ correct.

> Is this what we really want -- manual keying with an optional-to-implement
> key management protocol?

I want manual keying.  Quite honestly, I want a mandatory key mgmt. protocol
as well, but there were decisions that were made.  Ask Jeff Schiller about
said decisions.  Ask the IPsec working group chairs at the time about said
decisions.  They had to do what they had to do.

> I'll also point out that our directive from Jeff from last fall states that
> ISAKMP/Oakley is mandatory-to-implement for IPv6 IPSEC [1].  Should it not
> be the same for IPv4?

I actually agree with you in the belief that ISAKMP/Oakley should be required
for IPv4.  I believe the reason it wasn't explicitly stated as such was to
save someone's face and not annoy certain people more than they had been
annoyed (or perhaps been annoying) already.

> My customers tell me that they don't want to have anything to do with
> manual keying.

Some of mine feel differently about manual keying.  Some of mine want to use
other KM schemes too, and/or experiment with them as well.

Without a manual keying interface, you cannot experiment (AFAIK) with
different KM protocols.  Do we want GKMP, or some other multicast protocol to
show up eventually?  How 'bout customers who want to use KDC technology?

IPsec was designed to be INDEPENDENT OF THE FOLLOWING THINGS:

	1.) Indivdual policies
	2.) Key managment
	3.) Algorithms

Taking away manual keying weakens the independence of the IPsec
architecture.  And the independence of the IPsec architecture is its greatest
strength.

> That's why we're investing in ISAKMP/Oakley.  Is it really the desire of
> this working group to force me to include something that is insecure and
> that my customers don't want to buy?

The insecurity of manual keying is only as insecure as the person doing the
manual keying.

And my customers DO want to buy it.  Sorry, one vendor's customer base (no
matter how large/small/etc.) doesn't cut it.

> One obvious suggestion is to state that one must implement either
> ISAKMP/Oakley or manual keying.  Another is to just require ISAKMP/Oakley,
> as in IPv6.

BTW, IPv6 ALSO requires manual keying.  So if you want v4's requirements to
be like v6's, you'd be requiring manual keying and ISAKMP/Oakley for v4.

> Practically speaking, dynamic key management is going to be a prerequisite
> for any large-scale deployment of IPSEC.

Yep, which is why I agree with the part about mandating ISAKMP for IPv4.

Removing manual keying, however, gains us NOTHING and costs us in flexibility
and hand-twiddling that some customers want.

> What's the sense of the rest of the group?

Good question.

Dan


Follow-Ups: References: