[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP gateway function
Kai Martius <kai@imib.med.tu-dresden.de> writes on Wed, 3 Dec 1997 14:56:48 +0100:
. > Is this supported by ISAKMP and if so how is this done?
.
. Phase II proxy exchange could handle this, I think. Depending on the interface of the ISAKMP daemon other hosts can request keys from it. However, the problem is that
. - the requested keys will be delivered in clear over the local network (regarding to the statement of Mitch Nelson, that "68-80% of the attacks for which encryption would provide some protection are on the local network." this isn't very nice...)
. - the host requesting the keys must trust the "ISAKMP-host" because it knows the final keys in every case.
.
This brings up yet another question. An SA is generated by a KMd on host B
at the request of host A. B ships the SA to A. How do B and A talk with
one another over the network, do they use AF_KEY? (Is there any intent to
standardize this relationship?) Then, of course, this traffic must be
secured (regardless of the protocol A and B use), but by definition there
is no KMd on A to create a secure channel to B...
D. Reeder
Follow-Ups: