[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: ipsec@lists.tislabs.com
Subject: Re: Simplifying IKE
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 13 Aug 2001 09:13:18 -0400
In-reply-to: Your message of "Wed, 08 Aug 2001 18:25:38 PDT." <200108090125.f791PcT00595@dharkins@lounge.orgatty.lounge.org>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Dan" == Dan Harkins <dharkins@lounge.org> writes:
    Dan> Then the problem is on the other end. The selector either says every 
    Dan> packet _MUST_ be IPsec-protected or else it _MUST NOT_ be
    Dan> IPsec-protected.

  When IPsec is not part of the stack, this is a concern because the policy
checks must be done by the IPsec piece rather than having the crypto status
noted and checked by upper layers.

    Dan> Either way, if some packets--those with Binding Updates-- are received with
    Dan> IPsec protection and others-- those without Binding Updates-- are not then
    Dan> we're going to have a problem.

  If the packet has some form of authentication (I'll not prejudge by saying
AH), and this is noted in the control structure, then the piece that
processes the Binding Update says "okay, it was protected".
  The TCP layer (or whatever) above it didn't require that the packet was
protected (or not), so it goes on. If the system policy required all packets
to be authenticated, then TCP would check that.

  Dan McDonald? Bill Sommerfeld? Itojun? 
  Does this make sense?
 
  {Has anyone considered putting IKE message inside of a TCP option? This
doesn't help keep the session private, but if the point is to establish
keying so that a Binding Update will work, then this saves a bunch of
latency. You just can't go fix the triangle before your connection comes
up... I keep thinking that MIPv6 is the answer to multi6}

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [






-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface

iQCVAwUBO3fSbIqHRg3pndX9AQEVGwP6A37XpPsE6EP2SAfMrRCh443NsNCYKGKi
JxF2F5U19q8zwesXcbArhTkPENEYJIgSW3evmLnbu3tZkNpE4YBMSbZTLt9dvQyA
UdqDwjHER79YJgmwfDNTLSQCc6GCwNLrBsqXcIgYlx5AAnJrp+UattHAL8XbV4vb
TddaHJ9BFcA=
=1SaI
-----END PGP SIGNATURE-----

Follow-Ups:

Re: Simplifying IKE

From: Jun-ichiro itojun Hagino <itojun@iijlab.net>

Re: Simplifying IKE

From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:

Re: Simplifying IKE

From: Dan Harkins <dharkins@lounge.org>

Prev by Date: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of i-cookie=0
Next by Date: IPSec Latency
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread