[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Francis" == Francis Dupont <Francis.Dupont@enst-bretagne.fr> writes:
    MCR> {Has anyone considered putting IKE message inside of a TCP
    MCR> option? This doesn't help keep the session private, but if the
    MCR> point is to establish keying so that a Binding Update will work,
    MCR> then this saves a bunch of latency. You just can't go fix the
    MCR> triangle before your connection comes up... I keep thinking that
    MCR> MIPv6 is the answer to multi6}
   
    Francis> => as the context is IPv6 I think an extension header like the
    Francis> destination option header (in final position) is far better for
    Francis> this. But I don't like piggybacking for heavy weight protocols
    Francis> (no clear pro, many cons like ROHC confusion, complexity, SPD
    Francis> ambiguity, etc).

  The reason for it to be a TCP option is so that one can make a strong
connection between the TCP sequence numbers and the IKE cookies. If the TCP
sequence numbers are considered strong enough for the connection (which is
true for a lot of connections today), then this gets you a bunch of help on
setting up the IKE. You may not need a global PKI to make it work if you can, 
in this 80% situation leverage on top of what we already have.

  (It does not cover the other 20% which does require a higher level of
trust)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface

iQCVAwUBO3wro4qHRg3pndX9AQFDwQP8D52ltMWZX2ZUTpvkrX7GJi59zocu9A7h
IzarR0VpB5aEgZ7zjnRD37Y361XCi3PDUSR6Wp+D9ossU4YIs9y9YP9uz7simtUG
VfpTo3pirXrZcBCQ0y+idSwA8TmtJOv38wW+ihUZWNMt+P2hd2ZVOJl39AS+OsHH
kRNrn1+UCWQ=
=HImr
-----END PGP SIGNATURE-----


References: