[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: manual keying and IPSEC conformance
Although I prefer use of ISAKMP, I feel that manual keying is important
to have, for several reasons.
First, there's the need for backup. Key management is a more delicate
business -- certificates may be unavailable, the daemon may be in a bad
mood, etc. In a sense, this is an analog to the 'bypass' switch on
older crypto boxes, such as BLACKER.
Second, there's the firewall problem. ISAKMP is UDP-based, which makes
it hard to relay through firewalls. In some environments, manual keying
may be preferable to opening a hole in the firewall for ISAKMP communications.
(As an aside, the ISAKMP draft notes this problem. I suggest that the
draft be amended to include a note suggesting that implementations include
an option to use a fix, user-specified port number for all ISAKMP packets.
Port 500 is used to receive messages, but a daemon that wishes to initiate
communications with a remote ISAKMP may prefer to use a different port.)
Third, and most serious, I can think of one environment where manual
keying may be necessary because ISAKMP doesn't scale: large-scale network
management platforms. A workstation that is managing thousands of hubs,
CSUs, routers, etc., will need to negotiate and cache thousands of security
associations. A single shared key may be preferable.