Re: proposed changes to ISAKMP/Oakley

[Ran Atkinson <rja@inet.org>]

Steve,

  I disagree that the concept of a Proxy-ID is in any way unique
to ISAKMP/Oakley.

  The concept of a Proxy-ID is general enough to be widely useful,
IMHO.  I'd suggest it would be useful to define as an optional-to-
implement part of an IPsec Security Association with a clear standard
definition.  While not all KM techniques might support it, more than
one manual keying implementation supports the concept and many KM
techniques are capable of supporting the concept.  All PF_KEY 
implementations should be supporting Proxy-IDs and PF_KEY is 
independent of the KM protocol, for example.

  IMHO, omitting explicit definition of the Proxy-ID from the formal
definition of an IPsec SA is likely to lead to reduced security in
the operational Internet.  Including it is likely to enhance security
in the deployed operational Internet.

Regards,

Ran

---

Follow-Ups:

• Re: proposed changes to ISAKMP/Oakley
• From: "Scott G. Kelly" <scott@fet.com>

References:

• Re: proposed changes to ISAKMP/Oakley
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: Proxy & ISAKMP/Oakley
• Next by Date: Re: proposed changes to ISAKMP/Oakley
• Prev by thread: Re: proposed changes to ISAKMP/Oakley
• Next by thread: Re: proposed changes to ISAKMP/Oakley
• Index(es):
  • Main
  • Thread