Re: ISAKMP gateway function

[dreeder <dreeder@tis.com>]

Kai Martius <kai@imib.med.tu-dresden.de> writes on Wed, 3 Dec 1997 14:56:48 +0100:
. > Is this supported by ISAKMP and if so how is this done?
. 
. Phase II proxy exchange could handle this, I think. Depending on the interface of the ISAKMP daemon other hosts can request keys from it. However, the problem is that  
. - the requested keys will be delivered in clear over the local network (regarding to the statement of Mitch Nelson, that  "68-80% of the attacks for which encryption would provide some protection are on the local network." this isn't very nice...)
. - the host requesting the keys must trust the "ISAKMP-host" because it knows the final keys in every case. 
. 

This brings up yet another question.  An SA is generated by a KMd on host B
at the request of host A.  B ships the SA to A.  How do B and A talk with
one another over the network, do they use AF_KEY?  (Is there any intent to
standardize this relationship?)  Then, of course, this traffic must be
secured (regardless of the protocol A and B use), but by definition there
is no KMd on A to create a secure channel to B...


D. Reeder

---

Follow-Ups:

• Re: ISAKMP gateway function
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: RE: ISAKMP gateway function
• Next by Date: Re: ISAKMP gateway function
• Prev by thread: RE: ISAKMP gateway function
• Next by thread: Re: ISAKMP gateway function
• Index(es):
  • Main
  • Thread