[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Text suggestion on computing keymat for rekey
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@east.sun.com> writes:
Bill> I may well have been part of the same hallway discussion. One of the
Bill> other conclusions that this group came to was that it was somewhere
Bill> between extremely helpful and absolutely necessary to add an
Bill> attribute
Bill> in the negotiation which specifically called out *which* SA was being
Bill> rekeyed/replaced. (All you'd need is the SPI of the previous SA).
Hugh Redelmeier proposed the term "channel identifier" to represent a
long-lived number that uniquely identifies the communications. It does not
change when things are rekeyed.
I was thinking that 32-bits of low-grade random number was enough for both
ends to "announce", with the long-term number being their concatenation.
(Likely, lower IP address end first, since this may survive Init/responder
roles easily)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPoGmX4qHRg3pndX9AQGUKwQAqxdfceGFWhOJ6Xdd93DBITARa1OHvuPv
wS+H3itL/raF+RxrmqfsUIla1UBbIHRPjat/hMHtvs8ZgJmo9JIKxtJbZyCXHHNX
D0eRx0gSpAD6K06n8DwfbOJYN/e6D5Hn098sHwjG963HC+nybJu50juEuRgaUscZ
bKBswO/h5F8=
=bJTH
-----END PGP SIGNATURE-----