IETF Logo Mail Archive

RE: is manual keying mandatory (fwd)

Rob Adams <adams@cisco.com> Thu, 19 March 1998 18:41 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA20221 for ipsec-outgoing; Thu, 19 Mar 1998 13:41:40 -0500 (EST)
Message-ID: <01BD5325.5F8EA080.adams@cisco.com>
From: Rob Adams <adams@cisco.com>
Reply-To: "adams@cisco.com" <adams@cisco.com>
To: 'Robert Moskowitz' <rgm-sec@htt-consult.com>, 'Jackie Wilson' <jhwilson@austin.ibm.com>, "'ipsec@tis.com'" <ipsec@tis.com>
Subject: RE: is manual keying mandatory (fwd)
Date: Thu, 19 Mar 1998 10:54:06 -0800
Organization: Cisco Systems
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

I personally don't see the need for a MUST on manual keying.  I've been saying
this for over a year so that isn't anything new.  The reasons for a manual keying
MUST so far seem to be wrapped around support and other KMP's.   I don't see 
either of these as interoperability issues but as product issues.  

The other issue is to interop with legacy systems that do not support 
an automated way of exchanging keys.   Well.... The architecture 
document states, section 3.2 p. 8:

   "This document
   requires support for both manual and automatic distribution of keys.
   It specifies a specific public-key based approach (IKE -- [MSST97,
   Orm97, HC98]) for automatic key management, but other automated key
   distribution techniques MAY be used.  "

To be IPSEC compliant, I need to have automatic keying and I need to use
IKE.  So legacy systems are already not part of the scope of this architecture.
This statement also indicates a required method of interoperability that is 
not manual keying. 

The other reason I've seen is because it is easy.  I'm not sure we should 
include things in the architecture because they are easy. Otherwise, ESP
with NULL authentication and encryption would be required. 

I feel strongly that manual keying should not be a MUST.   SHOULD or MAY 
is fine.  MUST seems like overkill.  Based on the traffic this has cause, I'm 
sure we'll still end up with manual keying being a MUST, but what the heck,
we haven't seen a good flame in a week or two.

-Rob


-----Original Message-----
From:	Robert Moskowitz [SMTP:rgm-sec@htt-consult.com]
Sent:	Thursday, March 19, 1998 8:36 AM
To:	Jackie Wilson; ipsec@tis.com
Subject:	Re: is manual keying mandatory (fwd)

At 11:09 PM 3/18/98 -0600, Jackie Wilson wrote:
>I agree.  It will be some time before all boxes support ISAKMP, but
>they will need to be included in secure networks.  This will help
>customers adopt ISAKMP as a standard if it is widely available.

Jackie, I disagree with you as to the above reason, in general.  Or perhaps
you are thinking as I, but use different verbage.  Some KMP is needed to
rekey sessions.  As an ex-network support person, I would not want to
deploy non-rekeyable technology anymore except for certain imbedded systems
that are either: already running in a semi-secure environment, or are still
just too limited to support the cost of IKE code.  (think about what it
takes to protect a system from electric leaks under your car hood and you
might get some ideas about cost overruns).

>In a few years it could probably be phased out.

In time IKE preshared MIGHT be universally available, but to play with
other KMPs, manual keying is important.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

v2.30.2 | Report a Bug | By Email | System Status