Great Circle Associates Firewalls
(February 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Differences
From: Leonard Miyata <leonard @ geminisecure . com>
Date: Mon, 2 Feb 1998 10:37:46 -0800 (PST)
To: "Elfed T. Weaver" <weaver @ hydra . dra . hmg . gb>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <199801281342 . FAA03744 @ honor . greatcircle . com>

You are indeed correct in pointing out that IPSEC with ISAKMP
key exchange is mandatory for IPv6 with SKIP being optional.
To make a decision on their use in a VPN network, you must
know somthing about the strengths of each protocol.

SKIP is indeed a superset of IPSEC but not of ISAKMP. Behind
each SKIP header, there is indeed a AH and/or ESP packet
payload. The SKIP header contains the encryption/authentication
keys for the IPSEC payload, encrypted in the shared secret
derived from pre-distrubeted Diffie-Helman values. IPSEC with
ISAKMP uses the application layer ISAKMP daemon to negotiate
one time encryption/authentication keys for use in a Security
Association of finite life. Since the SKIP shared secrets are
pre-distrubuted, there is no handshaking overhead to establish
a encrypted connection. To require a ISAKMP handshake just to
deliver a single UDP packet..... 

On the otherhand, SKIP X.509 signed identities have a lifetime of months 
to years, compared to ISAKMP Security Assocation lifetime of hours to 
days, which makes ISAKMP less prone to brute force key attacks (that is
assuming you don't trust the statement that the small size
of the encrypted keys in the SKIP header is too small to
provide useful information to crack the shared secret. Thats
the SKIP assumption).

IMHO, both SKIP and ISAKMP share a common weakeness. Peer to 
peer key exchange cannot be trusted unless ownership of the
key can be verified by some other means (Web of trust, digital
signiture of a X.509 CA, KERBEROS ticket etc)

This still boils down to the fact that SKIP, ISAKMP, and other
peer to peer protocols are only COMPONENTS of a VPN. Implied
requirements (X.509 hierarchy, PF_KEY application support, etc)
must be taken into account when designing a VPN

Personal Opinions provided by
Leonard Miyata
aka leonard @
 geminisecure .
 com
Gemini Computers Inc.

On Wed, 28 Jan 1998, Elfed T. Weaver wrote:

> 
> Superset ?
> 
> SKIP was a key management protocol (IKMP) proposed for use 
> with the IPSec protocols. In its basic form it is quite simple 
> although not very flexible. To achieve the flexibility required by 
> the IETF Working Group (WG) responsible for developing the IKMP SKIPs 
> developers (SUN) defined a number of add-on protocols, this resulted 
> in a complex suite of protocols.
> 
> Consequently, the key management protocol mandated for use with IPv6 
> by the IETF IPSec WG is ISAKMP (Internet Security Association and Key 
> Management Protocol). This protocol, in its native form, provides 
> both the flexibility and forward migration path (to enable new key 
> exchanges to be integrated as and when they are developed) required 
> by the IPSec WG.
> 
> Note: both IPSec and ISAKMP can be used over IPv4 based networks in 
> fact, the majority of implementations currently available are for 
> IPv4.
> 
> for more details see www.ietf.org/ids.by.wg/ipsec.html
> 
> 
> 


References:
  • Re: Differences
    From: "Elfed T. Weaver" <weaver @ hydra . dra . hmg . gb>
Indexed By Date Previous: Re: 107.107.107.107 and 85.85.85.85
From: dharris @ kcp . com
Next: Re: Sniffer tools
From: David Lang <dlang @ diginsite . com>
Indexed By Thread Previous: Re: Differences
From: "Elfed T. Weaver" <weaver @ hydra . dra . hmg . gb>
Next: Re: Differences
From: manuel . ricca @ pararede . pt

Google
 
Search Internet Search www.greatcircle.com