[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

initiator and responder in JFK

To: ipsec@lists.tislabs.com
Subject: initiator and responder in JFK
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sat, 08 Dec 2001 00:22:25 -0700
In-reply-to: Your message of "Thu, 06 Dec 2001 01:36:55 +0200." <Pine.GSO.4.21.0112060131400.19126-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


  I want to dispute section 2.5 of the JFK draft that says:

"
   We also eliminate negotiation, in favor of ukases issued by the
   Responder.  The Responder is providing a service; it is entitled to
   set its own requirements for that service.  Any cryptographic
   primitive mentioned by the Responder is acceptable; the Initiator
   can choose any it wishes.  We thus eliminate complex rules for
   selecting the ``best'' choice from two different sets.  We also
   eliminate state to be kept by the Responder; the Initiator can
   either accept the Responder's desires or restart the protocol.
"

  This seems to assume that all initiators of keying are "clients" and
that all responders are "servers". It seems to also be under this guise that
identity protection for the responder has been eliminated.

  Sure, this works for web sites. So, btw, does NAT and SSL.
  IPsec is about so much more.

  Even if a straight VPN situation, connecting to offices, I don't see
clients and servers. What I see is a tunnel being set up when there is
traffic, and possibly torn down when there is no traffic and the keying
expires. (We do in FreeSWAN with Opportunistic Encryption.)

  Note - in the absense of TCP keepalives or application keepalives, there is 
no reason why the tunnel need remain up (or that the gateway continue to have 
power for that matter) when there is no activity on the connection. After
days of silence, the "server" may suddendly want to send a packet. In that
scenario, the "client" is now the "responder" - how can it make a reasonable
choice here? And why should it reveal its identity?

  Perhaps I misunderstand the draft. I read it this morning after skiing
yesterday, and I neglected to take the altitude/oxygen factor into account.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPBG/qoqHRg3pndX9AQFiPgQAjn+f3YQjUdEg1NbjiY4SUVRrWowmCZ4n
jmY+r3hhfLdkmyyCsM9m3LsJLtSB4ERbDZgySUGG9KhnhlDdhyVdrcgJC+wAbHOp
gYSBn4HZ5nTwXnn9EhDPBD7mcGHmZx4qfBJrAuxlL20Dtv0RScrIwvwBm3SbWjN6
jOJITBrwcQ4=
=ZVaD
-----END PGP SIGNATURE-----

References:

Re: compare-jfk-sigma.txt

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: Please save the pre-shared key mode
Next by Date: Re: Son-of-IKE Performance
Prev by thread: Re: compare-jfk-sigma.txt
Next by thread: Re: compare-jfk-sigma.txt
Index(es):
- Main
- Thread