[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Notes about identifier - locator separator
On Sunday, Nov 3, 2002, at 08:26 America/Montreal, Masataka Ohta wrote:
The key here is state. If the middle box or the receiver
has state (e.g. a cryptographic key or a communication context),
it can check that the arriving packet indeed contains or
implies a known long lasting identifier, and act accordingly.
However, parties that do not have that state cannot find
out the long lasting identifiers.
For a receiver to retrieve an appropriate cryptographic key or
a communication context for a packet, a long lasting ID in clear
text, as an index to the long lasting database of key or context,
must be carried by the packet.
SPIs in ESP/AH are examples of IDs contained in a packet used
as an index to the Security Association state. SPIs are not
normally long-lasting -- typically only valid for the lifetime
of the SA (plus epsilon). Any sane key management strategy
involves changing *session* keys *at least* every 24 hours,
even for very strong cryptographic algorithms.
So the claim above is bogus (or poorly written).