[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: is manual keying mandatory
I sent my original reply directly to Roy. Sorry 'bout that.
I've remembered another reason for MUST on manual keying that Bill hints at
here...
> It also leaves makes more room for experimentation with new key
> management techniques, since a new key management system can be
> grafted on through the "manual" key management interface.
YES! And one example of a new key management system is any system for
multicast keys!
If you don't have manual keying, how can you add:
AH
spi 0x1969
authalg md5
src <INADDR_ANY>
dst 224.124.12.2
That's a perfectly legal and valid multicast SA, and manual keying (or any
first-cut KDC solution that makes you get the group key from a group key
manager) is the only way to do that.
Dan
References: