Re: SKIP in IPSEC: is it really simple?
pau@watson.ibm.com Thu, 12 September 1996 14:45 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa25333; 12 Sep 96 10:45 EDT
Received: by relay.hq.tis.com; id KAA09756; Thu, 12 Sep 1996 10:48:48 -0400
From: pau@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma009734; Thu, 12 Sep 96 10:48:20 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA16036; Thu, 12 Sep 96 10:47:29 EDT
Received: by relay.hq.tis.com; id KAA09725; Thu, 12 Sep 1996 10:48:18 -0400
Received: from igw2.watson.ibm.com(129.34.139.6) by relay.tis.com via smap (V3.1.1) id xma009657; Thu, 12 Sep 96 10:47:19 -0400
Received: from mailhub1.watson.ibm.com (mailhub1.watson.ibm.com [9.2.249.31]) by igw2.watson.ibm.com (8.7.4/8.7.1) with ESMTP id KAA40149; Thu, 12 Sep 1996 10:49:50 -0400
Received: from secpwr.watson.ibm.com (secpwr.watson.ibm.com [9.2.24.17]) by mailhub1.watson.ibm.com (8.7.1/09-08-96) with SMTP id KAA695444; Thu, 12 Sep 1996 10:49:22 -0400
Received: by secpwr.watson.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA22100; Thu, 12 Sep 1996 10:50:34 -0400
Date: Thu, 12 Sep 1996 10:50:34 -0400
Message-Id: <9609121450.AA22100@secpwr.watson.ibm.com>
To: ipsec@TIS.COM, skrenta@osmosys.incog.com
Subject: Re: SKIP in IPSEC: is it really simple?
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Md5: w0S5CRbwe8Der8qQIO9oMA==
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
> From ipsec-request@neptune.hq.tis.com Thu Sep 12 09:58:58 1996 > From: Rich Skrenta <skrenta@osmosys.incog.com> > Message-Id: <199609120042.RAA17690@miraj.incog.com> > Subject: Re: SKIP in IPSEC: is it really simple? > To: ipsec@TIS.COM > Date: Wed, 11 Sep 1996 17:42:53 -0700 (PDT) > In-Reply-To: <199609111751.NAA734524@mailhub1.watson.ibm.com> from > Content-Length: 3621 > Status: RO ............................... > > > Isn't this a highly misleading argument?? > > What is misleading to say is that SKIP has as high an overhead at startup > as an Oakley exchange, when the overhead in practice is considerably less. > It is also misleading to say that one can't have PFS in SKIP without > throwing out all of SKIP's advantages; this isn't true. If you run SKIP PFS extension, then the start up cost is about as high as any other interactive KMP. ............... > > ISAKMP/Oakley, on the other hand, has several security advantages > > over SKIP > > Having to stop and renegotiate a session to change the traffic key is not > an advantage. Why stop ? Just negotiate a new key before the old key expires. > > It is also incorrect to say that SKIP forces the Internet to standardize > on a single g and p; this is once again an administrative issue. Our > implementation currently supports as many local (g, p, i) identities as > the administrator cares to configure. It must, in order to support > simultaneous interoperability with products deployed to the different > rings of the US export law hell (2048 US, 1024 Swiss banks, 512 non-US). I am sure your product can do that but I fail to see where such flexibility is mentioned in the SKIP draft. You are actually enhancing SKIP to address a practical concern. I think this is another example of the complexity of the KMP issue. There are so many concenrs and many requirements that it is hard to find a one-size-fit-all solution. Pau-Chen
- Re: SKIP in IPSEC: is it really simple? Rich Skrenta
- Re: SKIP in IPSEC: is it really simple? Robert Moskowitz
- Re: SKIP in IPSEC: is it really simple? Robert Moskowitz
- Re: SKIP in IPSEC: is it really simple? pau
- Re: SKIP in IPSEC: is it really simple? Germano Caronni
- Re: SKIP in IPSEC: is it really simple? Bill Sommerfeld