Re: On the Use of SCTP with IPsec

["Angelos D. Keromytis" <angelos@keromytis.org>]

Hi Jari, thanks for the early comments. I'll try to give some brief
answers (or just followup):

1) I think this would require action on the part of the PKIX group; also
note that the more expressive and complex the expressions you want in the
"identity", the more the resemble a programming language of sorts (and
I'll just point out our recent paper at NDSS on "Trust Management for
IPsec").

2) Good question; I would imagine that this draft would serve as a basis
for existing documents (to address the issues raised); in particular, I
think the following existing RFCs would be amended/modified/reissued (note
that some of them are in the process of doing so): IPsec Architecture,
IPsec DOI, IKE. It is possible to turn this draft into a document describing
what's needed to support SCTP, as an addendum to all the other RFCs, but
I don't think that's as helpful to implementors.

3) That is something for the working group to decide really; I don't have
any strong preference for or against, but I think for simplicity the full
identity payloads should be used. As for arbitrary recursion, we do indeed
mean depth <= 2; width is de facto limited by the packet size (and I don't
see a reason to be more specific about *that*).

4) I personally don't know what "typical" SCTP policies/selectors look like,
and given the deployment status of SCTP at this stage I doubt anyone does
(perhaps Randall ?) As I understand it, SCTP does not depend on ICMP.

That said, I don't see why "SCTP policies" should be different from
"TCP policies" (other than the fact that endpoints are
multi-addressed).

-Angelos

---

Follow-Ups:

• Re: On the Use of SCTP with IPsec
• From: "Jari Arkko" <jari.arkko@kolumbus.fi>

---

• Prev by Date: RE: exchange type 6?
• Next by Date: Re: exchange type 6?
• Prev by thread: Re: On the Use of SCTP with IPsec
• Next by thread: Re: On the Use of SCTP with IPsec
• Index(es):
  • Main
  • Thread