[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Francis" == Francis Dupont <Francis.Dupont@enst-bretagne.fr> writes:
MCR> {Has anyone considered putting IKE message inside of a TCP
MCR> option? This doesn't help keep the session private, but if the
MCR> point is to establish keying so that a Binding Update will work,
MCR> then this saves a bunch of latency. You just can't go fix the
MCR> triangle before your connection comes up... I keep thinking that
MCR> MIPv6 is the answer to multi6}
Francis> => as the context is IPv6 I think an extension header like the
Francis> destination option header (in final position) is far better for
Francis> this. But I don't like piggybacking for heavy weight protocols
Francis> (no clear pro, many cons like ROHC confusion, complexity, SPD
Francis> ambiguity, etc).
The reason for it to be a TCP option is so that one can make a strong
connection between the TCP sequence numbers and the IKE cookies. If the TCP
sequence numbers are considered strong enough for the connection (which is
true for a lot of connections today), then this gets you a bunch of help on
setting up the IKE. You may not need a global PKI to make it work if you can,
in this 80% situation leverage on top of what we already have.
(It does not cover the other 20% which does require a higher level of
trust)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface
iQCVAwUBO3wro4qHRg3pndX9AQFDwQP8D52ltMWZX2ZUTpvkrX7GJi59zocu9A7h
IzarR0VpB5aEgZ7zjnRD37Y361XCi3PDUSR6Wp+D9ossU4YIs9y9YP9uz7simtUG
VfpTo3pirXrZcBCQ0y+idSwA8TmtJOv38wW+ihUZWNMt+P2hd2ZVOJl39AS+OsHH
kRNrn1+UCWQ=
=HImr
-----END PGP SIGNATURE-----
References: