Re: [saag] Fwd: draft-bonica-tcp-auth

[Russ Housley <housley at vigilsec.com>]

I discussion that says "just use IPsec" is not going to change real 
implementations.  We learned at the SAAG session in Dallas some 
significant router vendors support IPsec for transit traffic, not 
traffic that terminates in the router.  Some router vendors might be 
able to change this more easily than others, but they all will have 
an easier time implementing a TCP authentication option.

I have recently learned that more than one router vendor is doing 
experiments with this approach.  Therefore, I suggest that we need to 
influence them with security requirements.

My reading of this thread, these requirements include:
- select a strong integrity check mechanism;
- a scheme that will permit manual key management (it is used in a 
few places today);
- a scheme that will support migration to automated key management;
- a scheme that derives a per session key, even whin manual keys are used;
- a scheme that permits key rollover while keeping the TCP session running; and
- coordinate key rollover, but either party can decide that it has 
been in use for too long, and this includes polices based on time as 
well as traffic volume.

I think we need to send a complete set of requirements in the next week or so.

Russ