On Wed, Jan 4, 2012 at 5:39 AM, RJ Atkinson <[email protected]> wrote:
> On 04  Jan 2012, at 00:49 , Nico Williams wrote:
>> In 2012 the use of manually keyed unicast SAs with
>> group shared keys is not exactly impressive (because not scalable).
>
> Actually, that assumption is not valid.  There are
> multiple approaches to scalability available now.
>
> An obvious example is to use a KDC to distribute keys.

Out of curiosity, does such a protocol for keying SAs at end-points
and sharing the keys with routers/firewalls exist, and is it
implemented in any routers/firewalls?

Also, whether using an out-of-band provisioning system or a KDC, you
still have the problem that you need O(N^2) SAs to be pre-keyed (or,
if keyed dynamically, the middle-boxes need to be able to go fetch
keys dynamically unless they are the KDCs).  I can imagine a system
with static-static DH key exchange, with trusted middle-boxes knowing
the private DH keys.  A system with symmetric keying only would be
severely limited by the O(N^2) SA keying requirement, and would be
limited in applicability to VPN (including BITW) applications and
small end-to-end applications.

Nico
--
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to