[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Kerberized Internet Negotiation of Keys (KINK) toProposed Standard

To: mat@cisco.com
Subject: Re: Last Call: Kerberized Internet Negotiation of Keys (KINK) toProposed Standard
From: OKABE Nobuo <nov@tahi.org>
Date: Thu, 23 Jan 2003 10:04:56 +0900 (JST)
Cc: iesg@ietf.org, vilhuber@cisco.com
In-reply-to: <15917.45917.52554.993472@thomasm-u1.cisco.com>
References: <200211111823.NAA26773@ietf.org><20030118.181430.78702291.nov@tahi.org><15917.45917.52554.993472@thomasm-u1.cisco.com>

Michael,

From: Michael Thomas <mat@cisco.com>
Subject: Re: Last Call: Kerberized Internet Negotiation of Keys (KINK) to Proposed Standard
Date: Tue, 21 Jan 2003 12:53:49 -0800 (PST)

> OKABE Nobuo writes:
>  > Here are our comments.
>  > 
>  > =====================================================================
>  > 7.3.  CREATE
>  > Comment 1)
>  > 
>  >     If a respondent's CPU is too poor for DH (ex. 8-bit CPU),
>  >     it has to reject a proposal that includes KE payload.
>  >     What message should the responder back to the initiator?
>  >     Is NO-PROPOSAL-CHOSEN right one?
>  >     Anyway, more specific description seems to be needed.
> 
>    There is no specific KINK error for this. I'm not
>    sure what it is that IKE does (if it's even clear there),
>    but if IKE would send back a NO-PROPOSAL-CHOSEN, that
>    seems appropriate. I'm not very convinced that this is
>    going to do what you want though as the other side isn't
>    going to be able to figure out what the problem was.
> 
>    Honestly, I sort of think this is outside of the
>    domain of the protocol, as there are bid-down attacks
>    which could result if it the protocol specified a
>    means of signaling this. It would probably be better
>    to come up with some out of band way to agree not
>    to send KE payloads... though I'm open to hear 
>    disagreement though.

I'm not sure how critical bid-down attacks are.
Anyway, I can accept your answer by the following reasons:

    - As you mentioned, NO-PROPOSAL-CHOSEN does not have meaning
      what I expected
      (= "please give me another proposal w/o KE payload).

    - Something new should be introduced if satisfying
      the above requirement. But it seems to be against KINK's 
      design policy (=resuing exited requirements and protocols
      as many as possible).
      And I don't want to introduced somthing complex into the KINK.

    - An out of band way seems not to be problem
      because KE payload is not mandatory.

Thanks,

P.S.
Now we have a plan to implement KINK with KAME people.

---- nobuo

References:
- Re: Last Call: Kerberized Internet Negotiation of Keys (KINK) toProposed Standard
  - From: OKABE Nobuo <nov@tahi.org>
- Re: Last Call: Kerberized Internet Negotiation of Keys (KINK) toProposed Standard
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: RE: Last Call: CR-LDP Extensions for ASON to Informational
Next by Date: Title change for draft-melnikov-imap-mdn-05.txt
Previous by thread: Re: Last Call: Kerberized Internet Negotiation of Keys (KINK) toProposed Standard
Next by thread: Status of MOU negotiations
Index(es):
- Date
- Thread