[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] Re: new version of ESP ID

To: Haitham Cruickshank <H.Cruickshank@eim.surrey.ac.uk>, ipsec@lists.tislabs.com, msec@securemulticast.org
Subject: Re: [MSEC] Re: new version of ESP ID
From: Hugh Harney <hh@sparta.com>
Date: Mon, 29 Jul 2002 09:51:56 -0400
In-Reply-To: <3D451D84.30E23BE5@eim.surrey.ac.uk>
References: <OFB89CE622.6FAAD340-ONC1256BEA.00568726@net.alcatel.be><p05100305b9478a821778@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Haitham,

I tend to agree with Steve. Large groups or dynamic groups will need 
distributed key and security management. I'd point out that GSAKMP (heavy 
and Lite) allow for distribution of the key and security management functions.

One of the key points to setting up distributed management for large groups 
is ensuring that the system is secure. GSAKMP does this by incorporating a 
policy token in the key exchanges.

On your second point anti-replay. I think the decision to switch off that 
feature is dependant on the system your protecting. In many cases, I'd do 
as you suggested, turn off the anti-replay. However, it depends on the 
threats to the system.

Hugh

________________________________________________________
Hugh Harney		hh@sparta.com		410-381-9400 x203
________________________________________________________

References:
- Re: [MSEC] Re: new version of ESP ID
  - From: annelies.van_moffaert@alcatel.be
- Re: [MSEC] Re: new version of ESP ID
  - From: Stephen Kent <kent@bbn.com>
- Re: [MSEC] Re: new version of ESP ID
  - From: Haitham Cruickshank <H.Cruickshank@eim.surrey.ac.uk>

Prev by Date: Re: [saag] Re: No need for SHA-2 Packet Authentication - Open Letter to the WG and Area Directors
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: Re: [MSEC] Re: new version of ESP ID
Next by thread: Re: [MSEC] Re: new version of ESP ID
Index(es):
- Date
- Thread