[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICIM: comment on IPsecPolicyGroup

To: <rcharlet@xxxxxxxxxxxx>, <ipsec-policy@xxxxxxxx>
Subject: Re: ICIM: comment on IPsecPolicyGroup
From: "Hilarie Orman" <HORMAN@xxxxxxxxxx>
Date: Wed, 10 Jan 2001 12:48:07 -0700
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

I see the attraction of the abstraction in theory, but in practice,
KM protocols don't operate in a vacuum ("hey, get me 128 bits
shared with that guy over there").

IKE is the only KM protocol that understands IPSec.  I think that
if other protocols are needed for IPSec KM, they should be
introduced through ISAKMP, so that the negotiation of SA's
is done properly.  

Also, IPSec supports manually shared keys,
so shouldn't be a need to introduce a new rule for specifying
it, should there?

Hilarie

>>> Ricky Charlet <rcharlet@xxxxxxxxxxxx> 01/09/01 05:38PM >>>
Howdy,

	IPsecPolciyGroup binds together an IKERule and and IPsecRule. I'd like
to see a layer of abstraction introduced, namely a KeyManagementRule.
Then under keyManagementRule, we could use IKE for KM services if we
wanted, but we could also use kerberose, or son-of-ike or manually
entered keys, or....

-- 
  Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903

Prev by Date: Re: need a way to filter certs from peers
Next by Date: Re: comment on IPsecPolicyGroup
Previous by thread: RE: ICIM: comment on IPsecPolicyGroup
Next by thread: Re: ICIM: comment on IPsecPolicyGroup
Index(es):
- Date
- Thread