[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is manual keying mandatory

To: sommerfeld@orchard.arlington.ma.us (Bill Sommerfeld)
Subject: Re: is manual keying mandatory
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Wed, 18 Mar 1998 17:00:12 -0800 (PST)
Cc: ipsec@tis.com
In-Reply-To: <199803182344.XAA14394@orchard.arlington.ma.us> from "Bill Sommerfeld" at Mar 18, 98 06:44:22 pm
Sender: owner-ipsec@ex.tis.com

I sent my original reply directly to Roy.  Sorry 'bout that.

I've remembered another reason for MUST on manual keying that Bill hints at
here...

> It also leaves makes more room for experimentation with new key
> management techniques, since a new key management system can be
> grafted on through the "manual" key management interface.

YES!  And one example of a new key management system is any system for
multicast keys!

If you don't have manual keying, how can you add:

		AH
		spi 0x1969
		authalg md5
		src <INADDR_ANY>
		dst 224.124.12.2

That's a perfectly legal and valid multicast SA, and manual keying (or any
first-cut KDC solution that makes you get the group key from a group key
manager) is the only way to do that.

Dan

References:

Re: is manual keying mandatory

From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

Prev by Date: Re: is manual keying mandatory
Next by Date: Re: Why can't ?
Prev by thread: Re: is manual keying mandatory
Next by thread: Re: is manual keying mandatory
Index(es):
- Main
- Thread