With SKIP and ISAKMP you can do peer to peer key exchange to
handshake a encrypted IPSEC connection. The problem is, you
can negotiate a secure communication link with a host, but
there is no guarentee its the host you want to connect to.
Both ISAKMP and SKIP assume that there is a trusted third
party X.509 Certificate Authority to vouch for the authenticity
of the public key value. Until a Internet wide X.509 CA network
exists to register official public values, you have to rely
on 'sneaker net' or private (and possibly insecure) X.509 CAs
to establish trust in the connection.
Note, The last I heard, IPSEC with ISAKMP is mandatory for
implementing IPv6, while SKIP is optional
Personal Opinions provided by
aka leonard @
Gemini Computers Inc.
On Mon, 21 Jul 1997, Geoff Mulligan wrote:
> mikech> Having just completed our IPSec implementation (and testing its
> mikech> compatibility with most other IPSec implementations), I can tell
> mikech> you that the biggest hurdle is its lack of an "accepted" key
> mikech> exchange mechanism. Currently we are using a sneakernet, S/MIME
> mikech> or PGP manual exchange mechanism for keys. Both SKIP and
> mikech> Photuris are still at the development stage and are not cross
> mikech> compatible.