[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 4.7 Authenticated informational messages

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: SOI QUESTION: 4.7 Authenticated informational messages
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Fri, 28 Jun 2002 12:59:53 -0700 (PDT)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <E17Ndiu-0000fV-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 27 Jun 2002, Theodore Ts'o wrote:

>
> Please discuss and answer this question:
>
> 4.7 Authenticated informational messages
>
> 4.7.A) Does SOI need to provide authenticated informational messages
> after an IKE SA has been set up?

Yes.

>  (What sort of informational messages
> might be needed?

As Tero pointed out, SCTP address additions may be useful. There's
been long discussion about expanding (and contracting) the policy that
the SA applies to. That discussion is no doubt affected by the speed
of rekeying (is it cheaper to negotiate a new SA to expand and
contract the policy? Or is it cheaper to send a notification to expand
and contract?).

>  Do they need to be protected in a different key than
> the SA key?)
>

They should be protected under the SA management channel.

jan

> Implications from the Scenarios:
>
> [none]
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe

References:
- SOI QUESTION: 4.7 Authenticated informational messages
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTION: 4.6 Authenticated error messages
Next by Date: Re: apology
Prev by thread: SOI QUESTION: 4.7 Authenticated informational messages
Next by thread: JFK negotiation
Index(es):
- Date
- Thread