[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec Architecture -- proposed changes
I like most of the changes, however:
In message <199710070649.CAA15157@relay.hq.tis.com>, Karen Seo writes:
>
> <-------- How Outer Hdr Relates to Inner Hdr --------->
> IPv4 Outer Hdr at Encapsulator Inner Hdr at Decapsulator
> Header fields
> TTL copy from inner header (2) copy from outer hdr (2) &
> decrement before forwarding decrement before forwarding
This makes traceroute output look really weird when going through a tunnel.
The question is, should a tunnel look like a single IP hop or not? I'm of
the VPN religion, and so I believe that tunnels should look like a direct
(one hop) link between the two hosts/routers.
Comments?
> 12. How should we ensure interoperable mapping of key material to keys?
>
> We propose adding the following text to Section 4.6.2 "Automatic
> Techniques -- Key Mgt Protocol Requirements"
The replacement text doesn't handle the case where *both* the encryption and
authentication algorithms use variable length keys, e.g. RC5 with
HMAC-SHA1-96. Currently, none of the auth algorithm documents specify a key
length; there's a defacto standard to use the hash algorithm's digest size,
but it's not documented anywhere. ISAKMP allows you to negotiate the length
of variable keys for encryption, but not for simultaneous authentication.
This problem needs to be dealt with *somewhere*; I would put it within the
ISAKMP series somewhere.
--
Harald Koch <chk@utcc.utoronto.ca>
Follow-Ups:
References: